Much the same way as FON were accidentally blocking access to half of the Flickr image pool because of badly setup DNS, it seems that they are now blocking access to some Google hosted content. That affects some YouTube videos, some of which seem to be hosted on Google servers already, as well as some other Google acquisitions like Orkut.
The screen grab shows what you see when you try to go to one of these videos while connected through the FON AP (and I’m connected to the private network SSID on it here, not the public hotspot SSID). Connecting directly to my local ISP, the video plays without any problem.
Looking a little deeper into what happens for Orkut, here’s the different DNS lookups.
$ dig www.orkut.com ; < <>> DiG 9.3.1 < <>> www.orkut.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER< <- opcode: QUERY, status: NXDOMAIN, id: 22015 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.orkut.com. IN A ;; Query time: 238 msec ;; SERVER: 192.168.10.1#53(192.168.10.1) ;; WHEN: Sun Aug 26 10:54:53 2007 ;; MSG SIZE rcvd: 31
$ dig www.orkut.com ; < <>> DiG 9.3.1 < <>> www.orkut.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 45009 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.orkut.com. IN A ;; ANSWER SECTION: www.orkut.com. 86400 IN A 126.96.36.199 ;; Query time: 115 msec ;; SERVER: 192.168.200.222#53(192.168.200.222) ;; WHEN: Sun Aug 26 10:55:29 2007 ;; MSG SIZE rcvd: 47
And here is what Firefox reports, unsurprisingly, when I try to connect to the Orkut website:
So, once again it looks as though the FON DNS servers are trying to replace the real DNS server for some domains out there. I assume this is done so that they can whitelist Flickr, Google Video and other domains that are accessible through the login page of a FON hotspot. The way they're approaching it is all wrong though.
The key to making this work smoothly is to let the DNS request go through normally, but block access to IP addresses that are not authorised at the access controller. FON has a slightly harder time doing this since their access controller is not in fact a central service. Unlike most hotspots, they don't route all the user traffic over a VPN to their network where a central access controller can manage access; instead they use their APs as access controllers, and use the local network connection for traffic.
The distributed solution to access control is obviously better for FON (otherwise they'd have to pay for the bandwidth for everybody using their network, and the performance would most probably be terrible for people not near their data centre). What they need to do though is come up with a way where they can get the IP addresses of the whitelisted servers, or just blocks allocated to those companies perhaps, pushed out to the APs regularly, and manage the blocking/whitelisting at the IP level. Playing tricks with DNS results will only lead to problems like the ones they had with Flickr, and now with some Google properties.