The Domain Name System was developed more than 30 years ago as a way to ensure that the brilliant network we now know as the Internet could scale and see adoption. Before the DNS existed, Internet users would need to remember the IP address for every website on the Internet. Research has shown that seven digits tends to be the capacity for human memory (think phone numbers, sans area code) and IP addresses can be twelve — more now with IPv6. The DNS is part of the Internet’s infrastructure, earning it the somewhat unflattering analogy of the plumbing of the Internet. But in truth, its primary role has traditionally been that.

Recently ICANN, the global body that oversees the Internet and authors its policies, announced a plan to make available a throng of new top-level domains. Preexisting TLDs include .com, .net, .org, .co.uk, among many others. Twenty-two in total. The new ones are seemingly designed primarily to help businesses and spur economic activity. The new domains can be grouped into two classifications:

- .xxx: Designated for websites that include pornographic content as a way to easily differentiate them from non-pornographic sites.

- Generic TLDs, or “gTLDs”: Basically turns any brand or term into its own TLD. .Pepsi, .Apple, .Football or .Money, for example.

The release of both new groups of TLDs raises interesting issues for OpenDNS. Today we are the largest recursive DNS provider in the world, with more than 30 million people using our service. (Nearly doubling our traffic in the past 1.5 years.) We’re the innovator in the DNS space, as we introduced the concept of building security directly into the Domain Name System. Phishing protection came first, followed by typo-correction that helps people route around typo-squatting. Then Conficker protection and most recently, the most game-changing malware-blocking service, available to users to OpenDNS Enterprise.

But as we’ve seen countless times, with more ground to cover comes more fraud and crime. Many critics of ICANN’s move to add more domains see the potential for more:

- Cyber squatting, which is the practice of registering a domain using a trademarked brand that doesn’t belong to you. Highly annoying to Internet users and costly to brands.

- Typo squatting, which is like cyber squatting, but using a typo’d variation of the trademarked brand. Also highly annoying to Internet users and costly to brands.

- And generally more cyber crime and confusion among Internet users created by a change to the way domains are structured.

We’ve often said that the bad guys on the Internet tend to be one step ahead of the good guys, making the task of delivering an effective security service both very challenging and in a constant state of evolution. So when supporters of ICANN’s move argue that ICANN has no intention of allowing the new domains to act as a platform for crime, we can appreciate the perspective, but have little confidence that will ultimately be the case. Cyber squatting and cyber crime account for more than $1B in revenue annually, and when that kind of money is at stake, the bad guys find a way to be effective. Scott Pinzon, director of marketing and outreach at ICANN offers the perspective that, “new gTLDs represent a platform for innovation.” And goes on to say, “no one can predict what smart people will do with them. Lots of new business models will be invented. Some will work. Some won’t.” We agree with Scott, but also have a front row seat to the counterpart, sophisticated criminal activity that follows innovation.

Some of you will remember when the country of Cameroon was opportunistically assigned the .cm TLD and wildcarded all .cm domains. The country made a nice profit, but it confused masses of Internet users who’d accidentally made a typo when trying to get to a .com. We acted swiftly and delivered a feature that automatically redirected you to .com when you typed .cm.

In relation to the recent ICANN changes, there’s a great deal we can do as your DNS service to help ensure the Internet remains a safe place for you and yours to browse. It’s unclear at this point how successful these new domains will be and how much traction they’ll see, especially because at an upfront fee of $185k, the new gTLDS are not accessible to everyone.

Have thoughts on the topics above? Agree, or passionately disagree? Predictions for what kind of repercussions the Internet will see? We’d love to hear them in the comments.

How to Block .xxx Using OpenDNS:

In the immediate term, users of OpenDNS services with content filtering that want to block all .xxx domains on their networks can follow a few simple steps. Simply locate your “always block” or blacklist and add “xxx” (without the dot). Hit save and the change will take effect.

One of the many reasons more than 30 million people around the world choose OpenDNS is a feature called automatic typo correction.  It works by automatically redirecting common typos in top-level domains (.com, .net, .edu, etc.) to the right place, so if you type www.google.cmo, and that domain doesn’t exist, we just automatically take you to www.google.com.

Although this feature helps with a tremendous amount of typing mistakes and enables people to stay on-course online, an increasingly popular phenomenon called typosquatting means there are still typos we can’t fix, some of which are much more precarious than a dead end.  Typosquatting is what happens when someone registers a domain that’s nearly identical to that of a popular brand: Twtter.com and Twitter.com, for example. It banks on the idea that a fast-fingered typist may not notice that she’s arrived at the unintended site due to an omitted “i”. And since the typo exists in a real, registered domain, we don’t interfere.

Twtter.com is a particularly tricky example. In the case of this site, the typo — an omitted “i” — might not even be apparent at first glance.  The people who run this site are clearly trying to capture typo traffic destined for Twitter.com.  And regardless of the fact that the site has a URL redirect (the domain in the address bar changes after the site has been resolved), the blatant use of Twitter’s well-known design themes prove the site is aiming to fool people into thinking it’s the real website of Twitter.

Typosquatting is not new, but this sort of high-polish, branded version seems to be on the rise.  In the case of Twtter.com, the Twitter.com imposter, the site’s entire function is to get your contact information. A very appealing offer is presented to answer two survey questions and get what is, by all accounts, an awesome prize: an iPad2. It’s unclear what will happen with your personal information once it’s in the wrong hands — it could range anywhere from being used to send SMSs to your cell phone that you get charged for or simply selling your email address.

As with any online threat, protecting yourself and those people using the networks you manage starts with education.  Here are three tips for outsmarting typosquatting:

1. Use OpenDNS:  It’s the only service that will automatically correct common typos in TLDs, and help ensure you end up at the website you want.  OpenDNS solves a large portion of the problem, and also automatically blocks phishing websites.

2. Watch the address bar:  Legit websites rarely do redirections like Twtter.com does.  Keep an eye on what the site is doing and note suspicious redirects.  Also simply note the URL of the website you’re visiting after you’ve been taken there. Is the site the one you wanted? Did you make a typo?

3. Don’t share your personal information:  If a website offers you a chance to win a prize, simply for providing personal information or taking a survey, be skeptical.  You should never share your personal information online unless you’re on an extremely trusted website.

For businesses, schools and households alike, online safety is of the utmost importance. And it’s all about education.  Know what to look for and you can outsmart much of the bad stuff.  And use OpenDNS and tell others to do the same.

We’d love to hear your thoughts:  We’re considering an opt-in service that would let people avoid these kinds of unintended redirections.  Even in cases like that of Twtter.com, where technically it’s a real, registered website.  What do you think?  Would you use such a service?

At last week’s Workshop on the Economics of Information Security — an annual conference held at Harvard — new research (PDF) was presented showing the link between pornography and malicious online practices. When the study’s researchers surveyed adult websites, they found that many were aimed at “manipulating and misleading a visitor to perform actions that result in an economic profit” for the Web site. Free sites used these tactics 34 percent of the time, while paid sites used them 11 percent of the time. What types of tactics are we talking about? According to the study, methods include:

1. Javascript catchers that hijack the user’s browser, making it difficult to leave a site.
2. Blind and hidden links that prevent an address from being displayed in a web browser’s status bar. This can be used to mask malicious activities, like cross site scripting or cross site request forgery attempts.
3. Redirection scripts that redirect users to different websites. This occurs on a server, so there’s no way for a user to know it might happen until they click.
4. Malware that triggers malicious behavior including “code execution, registry changes, or executable downloads.”

In addition to misleading activity, the level of malware found on adult Web sites was surprising to the researchers too; almost 3.5 percent of adult websites had this type of behavior, compared with previous studies that found less than one percent as malicious. Spyware and Trojan downloads were the most popular types of malware.

The good news is, it’s simple to block adult content and pornography with OpenDNS. In a couple of steps, you can nip the issue in the bud by blocking content you know causes issues on your computer and network. To block adult content, navigate to the Settings page and select the network you wish to manage. You’ll then see a Choose Your Filtering Level option under Content Filtering. To block all adult content, make sure to block the following five categories: Adult themes, Nudity, Sexuality, Pornography, and Tasteless.

Since we already block malware for all OpenDNS users (Enterprise users get more comprehensive coverage), blocking pornography is just one more step you can take to protect users on your network from coming in contact with malicious tactics online.

Courtesy of Matt Marshall, I was asked to contribute an article to VentureBeat. You can read my article, “Why do we pay Internet Bad Guys?,” in its entirety over there or below. Matt has some really great stuff on VentureBeat, so go check it out!

Two weeks ago Auren wrote a dead-on post about the Black Hat Tax that really struck a chord with me. I’ve been paying the Tax for five years with my first company, EveryDNS, and for a few months now with my current start-up, OpenDNS. The problem has become much worse in the last few years. Why? Simply put, bad guys are getting paid. Moreover, the Tax is on users as much as its on businesses. Today we see phishing sites, malware and spyware sites growing at an astounding rate.

Consider the example I cite often when discussing the issue with friends: goggle.com (see image below; not providing a link, bad site), the site that might be the most insidious of all typo squatting and malware sites on the Internet. Goggle.com, an obvious typo of google.com, offers an anti-spyware product called SpyBouncer in addition to being filled with pop-up ads (nb: SpyBouncer claims the copyright on the bottom of goggle.com). The website makes a user believe that their computer is currently infected with spyware and that installing SpyBouncer will get rid of it. They say it’s free to try and the program conveniently finds spyware which it will remove for a price, of course.

Symantec and others all claim that this product is a total scam and that it neither detects nor repairs spyware with any accuracy. Thanks to the accidental traffic that lands on goggle.com by unsuspecting users, SpyBouncer has no incentive to make a good product, they can just fool a new batch of users everyday.

Why does a site like goggle.com exist? Because crime pays, but that’s hardly news. Why it doesn’t get shut down by its webhost (DataPipe) is a good question for another time. What I do want to know is… why is SpyBouncer allowed to run Google ads on its Web site (as they do on the top)? Why are these kinds of abusive software programs allowed to purchase AdWords campaigns luring even more users into this trap? Why is Revenue.net paying SpyBouncer to show ads on goggle.com? Why is Google accepting money from fraudulent advertisers which continues the cycle of malware and spyware? This is why users react so negatively to online advertising. It’s not the relevant and unoffensive advertising that they bemoan, it’s the scams and tricks the advertisers and advertising networks spread around the seedier neighborhoods of the Internet.

These kinds of abuse are pretty bad, but what bothers me more is that much of it is being facilitated by companies I respect and admire. People like Ben Edelman have done a lot of research showing the connections between companies like Yahoo and fraudulent advertising practices but that’s not enough. There are so many layers and levels of misdirection that it becomes hard to tell who is paying who and why. As the CEO of a company operating on the Internet, I’m spending money dealing with Internet bad guys who are getting paid to annoy me, my employees and my users. Everyone is wasting their time dealing with this crap while the folks in the money trail keep taking their cut and passing on the buck. When I asked my users what they thought about goggle.com I saw a nearly unanimous response of outrage and frustration. Hundreds of users spoke out on our corporate blog and on sites like Digg.com venting at the absurdity of a site like goggle.com.

It’s time that ad networks cleaned up their act and started being more transparent about fraud and abuse. It’s time security companies started fighting the causes of network abuse and not simply the symptoms. There will always be a Black Hat Tax but right now legitimate companies are making it more expensive. That has to stop.

Cameroon is at it again, wildcarding all of the .cm namespace so they can put advertisements up when you typo .com domains like http://www.google.cm. Since August 9, OpenDNS users have had the option to undo this change and decide how they want it handled. There is an option on our preferences page where you can decide how you want this dealt with for your computer or network.

As a reminder, if you do turn on .cm to .com wildcard filtering, all real .cm domains will still work!. That includes domains like airfrance.cm and others that we listed.

We don’t know why Cameroon (or its operator) is flip-flopping on this one, but I’d encourage you to turn this preference on and leave it on.

Earlier today, Cameroon (or the company acting on their behalf) turned off the wildcarding of non-registered domains within the .cm ccTLD. We’re still learning what’s going on, but at least for the moment, .cm domains resolve as they did before last Friday, August 4, 2006.

The OpenDNS preference introduced yesterday for filtering the .cm wildcarding still works, and will not disrupt any valid domain, whether or not wildcarding is active.

Cameroon, a country on the western coast of Africa recently decided to put a wildcard entry in .cm, their IANA assigned Country-Code Top Level Domain (ccTLD). CNET has a pretty good article covering what they did.

Around the blogosphere people have asked us what we could do to fix it for them. I'm annoyed we have to deal with this, but happy that users are starting to realize that they need the ability to manage their DNS as a part of managing their network. The Cameroonian ccTLD operators (or the business they've outsourced this service to) makes the argument that they are "helping you" find what you're looking for. If they wanted to help you they'd just correct .cm to .com for all domains that didn't exist in the .cm namespace, or do nothing at all.

Some users have asked us how many .cm domains there are and what they might be. We have published a complete list (as of yesterday) of all .cm domains. We've gone through and shown that for such a small ccTLD they've already had quite a few parked domains in their zone. This list is at the bottom of this post. (This data is all public information, don't worry.)

How to act

Decide for yourself how you want .cm to work. With OpenDNS, you have a choice.

• Already using OpenDNS? Head to the Account page.
• Not yet using OpenDNS? Take two minutes and Get Started today.

Mini FAQ

Are you going to show me ads just like the .cm operator does?

No! We're doing this because you shouldn't be punished or distracted because you forgot to type an 'o' when surfing the net. We will seamlessly correct the full URL for you with no ads, popups, or page in the middle. By enabling the feature you know exactly what's going to happen: google.cm is going to take you to google.com.

Will I still get to real .cm domains if I turn on .cm wildcard filtering?

Yes! We will not filter real .cm domains such as www.airfrance.cm and others. It should also be noted we've never filtered any real domains, even with typo correction. The only exception is phishing sites that you've asked us to block.

Will you do this for other wildcarded ccTLDs like .ws, .ph and .cd?

You tell us. We are offering the fix for .cm because our users appreciate that we transparently correct mistyped domains like google.cm to google.com. For other wildcarded ccTLDs, we'll be listening to our users and offering useful choices based on those requests.

What if there are new valid .cm domains? Will those work?

Of course!

What happens if I turn off typo-correction and turn on .cm wildcard filtering?

If you turn off typo correction and turn on .cm wildcard filtering you will get an RCODE=3 DNS response (commonly called NXDOMAIN) as if the wildcard didn't exist. In your browser you'd get the default behavior which is probably either an MSN search page on IE, or a "host not found" page with Firefox.

Again, if you are already using OpenDNS just head to the Account page or take two minutes and Get Started today.

A listing of all .cm domains

Legend

All domains in the Cameroon ccTLD “.cm”

(List accurate as of Tuesday, August 8, 2006)