Home About UsOur mission, Our name, Contacting us Events & Topics Articles Business General Technical Surveys FAQ

Who's the Worst DNS Provider?

by Ed Sawicki
Accelerated Learning Center
Tailored Computers

September 28, 2005

Many Internet sites will deny you access unless your IP address resolves to a DNS name that resolves back to the same IP address. The industry has informally given a name to this technique - paranoid DNS checking.

The technique is simple. I'll use fictitious addresses and names to illustrate the concept. Suppose your ISP assigned your computer the IP address 1.2.3.4. If you lookup this address in DNS it resolves to the name 4.3.2.1.isp.net. If you lookup this name in the DNS it resolves to the address 1.2.3.4. The addresses match - all is OK.

If the address 1.2.3.4 resolves to 4.3.2.1.isp.net but 4.3.2.1.isp.net resolves to 2.3.4.5, that's a problem. An Internet site may think you're an attacker (you've pirated an IP addres) and deny you access. Frequently, this is a mistake caused by an ISP's software or DNS administrator. The fix is simple - the DNS must be changed so the names and IP addresses agree - a one or two minute job if done by someone well-versed in DNS.

This problem affected one of my customers who recently switched ISPs to SBC. SBC is the Bell Regional Operating Company that purchased AT&T in 2005. I was hired to solve my customer's email problems. It took just minutes to identify the problem as a paranoid DNS checking issue. The customer was told to report the problem to SBC and have them fix it. A few hours later the customer reported that SBC didn't seem to understand the problem so they couldn't fix it.

I called SBC on the customer's behalf. I was on the phone for 2.5 hours. During that time, I had to endure senseless questions such as whether I was running Windows or Mac. Was I using a 2-wire or 4-wire DSL circuit? Someone told me that they didn't make DNS changes for home users. When I said that we were a business and had a /29 network, he asked how many IP addresses we had. CIDR notation is but one of the many things they don't know about. At one point, I told them that I shopped at Safeway. After a pregnant pause, I said that this was as relevant to the problem as the questions they were asking.

The call was escalated to four levels of tech support. There wasn't an appreciable increase in DNS expertise as the levels increased. The last level - the highest level - the best and the brightest - didn't comprehend the simple problem. They said that I'd need to contact the people that handled IP address allocations in their company. However, I was not allowed to call them by phone - I could only send them email. They gave me the email address. I sent email to that address but it bounced because of

.... wait for it ....

a DNS problem.

While researching this SBC problem, I found a July 2, 2004 story from the San Francisco Chronicle about SBC spam problems. This article inspired me to seek out related information elsewhere. It seems that SBC customers were being flooded with spam. SBC decided to solve the problem in part with paranoid DNS checking but didn't tell their tech support people about it and didn't train them as to what it was.

We never could get SBC to solve the problem. It was unlikely that any amount of additional time on the phone would result in a SBC person understanding what we needed. The customer was told to switch ISPs or to live with the problem.

This experience with SBC is the worst I've had but dealing with other large ISPs comes close. Generally speaking, it's easier dealing with smaller ISPs. The larger the company, the greater the tolerance for incompetence.

Back