Paul Vixie's firsthand account of the takedown of DNS Changer

Carl Malamud sez, "Paul Vixie tells a real-life action adventure about the DNS Changer and Conficker plagues that are still active on the Internet and how he ended up running a center for disease control in addition to his day job. His day job, in case you're not familiar with, consists of helping keep the DNS going and as a sideline hosting a lot of important software and services like Mozilla, the Internet Archive, and many others (and a few lightweight low-volume clients like"

Since the original court order that authorized ISC to install and operate these replacement DNS servers was due to expire on March 9 2012, a new DNS Changer Working Group (DCWG) was formed to handle victim notification and remediation. We had roughly four months to identify and notify half million or so DNS Changer victims, and to help these victims clean up their infected computers. Many victims would have to reinstall Windows on their computers — which at first was the only sure cure for this particular infection. On top of that, many of the victims have had their DSL or Cable modems ("home routers") reconfigured by the DNS Changer malware, so that they were using ISC's replacement DNS servers even if none of their computers are still infected and even if none of their computers were running Windows. Most Internet users do not have the skills necessary to check and repair the configuration of their home routers, and most Windows users are also unwilling to reinstall Windows. So, even when we could identify and notify a victim, we had a hard time "closing the deal".

We didn't make it. When March 9 2012 loomed, we still had hundreds of thousands of victims dependent on ISC's replacement DNS servers. Therefore the FBI asked the judge for an extension and we were given four more months. No fooling around this time, there won't be another extension, it's now or never, put up or shut up, etc. Noting that no private company or individual can legally operate this replacement DNS service on the open Internet unless they have a judge's permission to do so, many ISP's are now starting up replacement DNS servers inside their own networks, accessible only by their own customers, in order to control the risks they would otherwise face on July 9 2012 when the second and final court order is due to expire. But that kind of risk management isn't the same as cleaning up the problem. I don't think we want to "kick this can down the road". If an ISP wants to run a replacement DNS server for the purpose of forcibly breaking these computers, in small batches, to get their owners to call in and ask for help, that's one thing. But if it's just going to be a new permanent service that the ISP offers to these customers, count me as "opposed."

We as a digital society are much better at strategies for coping than we are at strategies for remediation.

DNS Changer (Thanks, Carl!)


  1. A lot of users just won’t believe there’s a problem as long as things even vaguely work. They’ll go “If I need to fix it, why is everything working fine?”. The only way to get their attention at all is to make things stop “working fine”. By now all the owners of all the infected machines should’ve been informed, if their ISPs are in the loop on this. Pull the plug, shut the replacement DNS down and don’t let them ignore the problem any longer.

    “Evolution stopped when stupidity stopped being painful.” It may not be technically accurate, but the sentiment behind it’s undeniably true.

    1. Perhaps somebody would care to actually explain what the problem is?

      Beyond just making “using ISC’s replacement DNS servers” sound like a bad thing?

      We’re not all au fait with the entire digital landscape. I can begin to guess why being hooked up to a dodgy domain name server would be bad, but would an example or two be too much to ask?

      Perhaps part of the problem might be a failure to communicate the nature of the issue. Certainly seems the case with Cory’s post here.

  2. These DNS servers should resolve every single query to a page that tells them whats wrong, how to fix it. That’ll get people off their butts.

  3. Just pull the plug.  They’ll want to fix it as soon as it stops working.  They can pick up the phone and call the tech guy, if they’re too lazy or stupid to do it themselves.  

Comments are closed.