Domain Name Servers (DNS) were still functional during the weekend. There were reported claims to bring down this collection of important servers in the hopes of more cyberterrorism. However, while there are only 13 root servers, they are replicated into hundreds of machines around the globe using a variety of protocol tricks, and recently efforts were accelerated to further protect the roots, too.
But I learned a valuable DNS lesson of my own last week, unrelated to the supposed plans of this hacker group. And that is: Treat DNS with the respect that it deserves. I lost several hours of productivity to debugging some beta software on my Mac when I was on the road. Hopefully, after you read this, you will be more careful than I was in what you place on your own equipment. If we are going to bring more of our own devices into work, we have to be better at what changes we make to them, too.
The issue was with an early version of OpenDNS' DNScrypt, which I announced and wrote about here. At the time that I wrote that post back in December, I hadn't yet tried the software. Now I have, and I can't recommend it -- at least, in its current version.
After I wrote my post, I decided to try DNScrypt out. I usually don't like installing beta code on my Mac, which is my main work and production machine. Now I remember why. For several months, I have been using my computer and occaisionally having some issues with connecting to certain Wi-Fi hotspots. I didn't link up the connection with DNScrypt until last week, when I was in a hotel and trying to get online. The hotel uses iBahn's connectivity service to provide both wired and wireless bandwidth to its guests.
I spent about an hour on the phone with the iBahn tech support person, who was wonderful and took me through all the things that I had already tried, including switching between wired and wireless ports, using different browsers, and so forth. I went to sleep that night very frustrated, and vowed to get to the bottom of my problem once and for all. The next morning, I had a thought and brought up my VMware Windows VM and was able to get online. That got me thinking that there was something wrong with my Mac software, and perhaps a DNS issue.
Most of you know that there are two types of Wi-Fi connections: open networks that anyone can connect to and encrypted ones that require you to enter a password, using a variety of protocols. But there is a third type, one that starts out being open and then sends you an authenication webpage to continue. The page is used for you to accept terms of service, or to bill you (my service was complimentary), or to recognize that you are a hotel guest. Many public Wi-Fi providers use this method, including coffee bars and local libraries. Having DNScrypt prevented this page from being sent to my computer, and thus I wasn't able to get to any websites. What was curious, and got me thinking, was that I could bring up other non-Web services, such as Skype.
It took me and a couple of guys at the Apple store (luckily, one was nearby) to figure out that DNScrypt was the culprit. They had never even heard of DNScrypt before, but they know what it is now. And as I searched around the Internet to write this post, I came across this explanation. Too bad I didn't see it earlier.
Now the whole point of having DNScrypt is to protect you in precisely these sorts of circumstances, in public Wi-Fi networks. And I really don't want to spend much more time debugging their software (which the company told me they were working on to resolve my issue). So I have removed the software from my system, and I suggest that you do so as well. Perhaps OpenDNS will have a better product in the future, and perhaps DNSSEC will become more prevelant on our Interwebs. In the meantime, at least I will know that I can get online in a matter of seconds, rather than days. And I have a renewed respect for DNS, and won't monkey with it again, I promise!