VeriSign Redirects Unused Domains
UPDATED In a surprise move that has left network administrators fuming, VeriSign has added a wildcard DNS record to all .com and .net domains - redirecting all nonexistent Web addresses, as well as those without valid DNS entries, to a VeriSign search page.
The change, which VeriSign calls its "Site Finder" service, could also adversely affect e-mail spam filtering that relies on discarding messages from invalid hosts.
VeriSign recently acknowledged it was testing such a system internally, but made no announcements regarding its implementation plans. However, the company flicked the switch without warning on Monday, later posting a notice to the NANOG mailing list.
"Today VeriSign is adding a wildcard A record to the .com and .net zones," the message read. "The wildcard record in the .net zone was activated from 10:45AM EDT to 13:30PM EDT. The wildcard record in the .com zone is being added now."
Although VeriSign's Network Solutions arm no longer solely handles domain registrations, the company still controls all DNS records -- contained in "zone" files -- for .com and .net domains. Over eight billion DNS lookups go through VeriSign each day, 900 million of which are for nonexistent domains.
A document issued by VeriSign says Site Finder "improves the Web browsing experience when the user has submitted a query for a nonexistent second-level domain in the .com and .net top-level domains."
Instead of a user receiving a confusing error message for an invalid URL, Site Finder returns a Web page containing links to possible destinations and an Internet search, according to VeriSign.
Site Finder will also appear on registered domains that have no active DNS records.
But network administrators are not happy with Site Finder due to technical and moral concerns, and have already devised methods of bypassing the service. According to reports, some ISPs have blocked access to Site Finder's IP address.
VeriSign's move has raised the ire of security experts such as Steven Bellovin, Research Fellow at AT&T Labs.
"It's bad enough now; it could be even worse. They could respond on port 443, too, with a legitimate-seeming certificate -- they're VeriSign, the leading certificate authority," said Bellovin in a message to NANOG. "In the security world, we call this a man- (or monkey-)in-the-middle attack, for which the standard defense is crypto. But that doesn't work well when your trusted third party is part of the threat model."
Privacy issues are also of concern to many. VeriSign says it "actively monitors all traffic associated with Site Finder, including DNS queries matching the wildcard entries in .com and .net and associated responses, and all traffic sent to the response server."
Network administrators are not the only ones Site Finder is likely to upset. Microsoft and AOL have long relied on sending customers who mistype domains to a sponsored search page as means for millions of dollars in additional revenue. Now, all such traffic will first be intercepted by VeriSign.
Microsoft, however, downplayed the potential affect Site Finder will have on its MSN business.
"VeriSign's decision to redirect traffic from misspelled queries does not significantly impact MSN Search because the amount of traffic driven to our site through mistyped Internet queries is minimal," an MSN spokesperson told BetaNews. "Our focus remains on generating traffic from satisfied and repeat consumers rather than counting on mistyped query traffic."
VeriSign has partnered with Overture to handle Site Finder search results, although the company has not said how much it expects to make from the deal. Without providing specific numbers, Microsoft says error traffic accounted for only a small segment of MSN revenue.
"VeriSign's decision has minimal impact on MSN revenue, because the bulk of our revenue does not come from redirected search queries," the spokesperson said.