By now, you’ve all seen the article entitled Windstream Quickly Fixes Google Toolbar Hijack. The jury is still out on what exactly happened there. From my earlier posts, you probably guessed that my reaction would be to support any approach that expanded the scope of network-based offerings. If you did, you guessed wrong. Of course, if you guessed that I would have a knee jerk reaction to the use of the term “hijack,” you guessed right. Google doesn’t own all browser traffic any more than Windstream does and any suggestion that they do is a proverbial jump ball (with users as the ball).
Should DPI (Deep Packet Inspection) or proxy devices be used to handle navigation requests? If the commentators are correct, proxying all navigation requests for redirection on an opt-out basis seems overly broad to me.
Nominum offers a DNS based navigation assistance solution and service. To be clear, we offer something completely different than the redirection system suspected at Windstream. Our solution provides a rich policy layer within DNS, granular rule sets, white list capabilities and learning algorithms that are designed to make DNS responses and the user experience better, safer and more intelligent. In the beginning, we recognized the concern that DNS redirection may adversely impact applications, etc. We made a decision to enter the market because we knew we could do it right and offer large networks a technical solution that works, that’s non-intrusive to users and improves the overall network performance (vs. whatever other DNS solution they have installed). In fact, when network owners make the move to Nominum’s web error redirection solution, users actually enjoy a faster, more stable, and safer Internet service.
I say all of this because if the goal at Windstream was to handle web errors, inline DPI or proxy devices are not the right technologies for this purpose. Because DPI and proxies examine all traffic, whether or not a navigation request, these technologies are overly intrusive for a web error application. Such devices are almost certainly “overkill” from a networking perspective as well because of the obvious performance hurdles that must be overcome to be used in the network.
By contrast, DNS-based redirection is not intrusive, at least not the way Nominum does it. First of all, our solution is DNS based, which means it never sees traffic users send to web servers. Second, our solution does not redirect requests generated by client-side solutions (for example, toolbars). White lists provide additional protection of applications and our adaptive learning algorithms actually allow us to identify malicious traffic (more on this in a later column), something the other systems simply can’t do.
In the absence of any inline device, Nominum’s navigation assistance is available in a fast, reliable, and scalable platform. In contrast, a DPI box has to be on the critical path for traffic on a network and will become a source of delay and reliability problems. Of course, a modern router can divert traffic by port. This, though, begs the question of why you wouldn’t prefer an intelligent DNS server to handle DNS traffic rather than a quasi-DNS server in a DPI box (which is probably several steps back in the release and patch cycle of somebody else’s DNS)?
Proxying web traffic on an opt-out basis to get to web errors (or some super set of web errors) is not a useful service element and is not recommended by Nominum. And, from a network perspective, if the overall network stability or performance is adversely impacted by relying DPI, intrusive technologies or poor DNS solutions as the foundation for a redirection service, such approaches may leave the network owner open to net neutrality complaints.
I will go out on a limb and say the “mistake” at Windstream was just that. It is not the smoking gun to justify legislation. In fact, users did a good job of voicing concern and Windstream quickly fixed the issue.
Millions of end users use Nominum’s solutions and services without complaints or issues. We’ve even worked with many large network owners to establish a general industry consensus of best practices in the web error redirection space. I’m not asking that anyone just blindly assume benevolence but most users find these services useful. At the same time, I don’t advocate burning Windstream in effigy. I’m not reaching for my pitchfork. It is possible to provide this class of service responsibly.
.tom
Dear Tom,
I was reading your article and I can say that I don’t think Windstream did that in purpose, but if they really did, they compromise a lot of privacy information, and is normal that the users were mad.
I agree with you that all the DNS need to respond and make the user experience better, safer and more intelligent, but maybe other companies don’t have the knowledge that your company has and their principles regarding security and privacy are different.
But I supposed that is good for Nominum to see other companies fell or having problems, that way increase your security and trust in your product.
Sincerely,
Kate
Hi Kate,
Thank you so much for taking the time to comment. Please don’t hesitate to do so again in the future, I enjoy hearing from readers!
Best,
Tom