Slashdot Mirror
Canadian ISP Hijacking DNS Lookup Errors
Freshly Exhumed tips us to news that Canadian ISP Rogers Cable appears to be redirecting invalid DNS requests to their own search and advertising page. Roadrunner got caught doing the same thing earlier this year. According to the article, "The hijacking appears to be an attempt by Rogers to use its Deep Packet Inspection (DPI) technology to cash in on the mistakes of its users." Freshly Exhumed also reminds us, "As IOActive security researcher Dan Kaminsky has warned in the past, this presents a very serious security problem."
This must be brand new. I did a test just now and a bad URL sends you here:
http://www20.search.rogers.com/search?
With appropriate variables substituted for what you were typing of course, like this:
Enter: http://www.rogersblowz.com and you get:
http://www20.search.rogers.com/search?qo=www.rogersblowz.com&rn=mEelOh0JrKFZejZ
Let the debate rage on!!!
Mark
http://www.opendns.com/
basically it is remove your ISP's dns#s and add these
208.67.222.222
208.67.220.220
Politics is Treachery, Religion is Brainwashing
If the ISP is messing with the DNS service, the best thing to do is to use a different service.
For Linux/Unix users, you can just run a caching-only server on the desktop system, and it will issue its own name requests from the root on down. I've been doing a slightly more complex version of this at home for VPN purposes. (Forward requests to my employer's net to the private internal DNS server (through the VPN), while querying the public internet for all other servers.)
I don't know it a similar option is available for Windows users w/o shelling out big bucks, but it is technically feasible
If you cannot run a caching-only server, another option is to use a third-party DNS server. The only problem here is that it would not be automagically configured by DHCP, and would have to be manually set up.
My ISP has been doing the same thing for a while now. It fucks with the stored history in my browser. I make a mistake and every time I'm typing in the correct URL later, my mistake is shown as an option from my history.
My ISP is the American ISP Charter. When I type in a bad url, I get a search page like this.
What the hell? Verizon is doing this now, too. Whenever I type in 'slashdot' in firefox, it just takes me to their useless search page, which is getting REALLY old now. I'm getting pretty disgusted now, and they should get it through their thick heads that if they're gonna charge us money for 'net access, they have NO right to make more money off of us by selling ads instead of allowing our browsers to function as expected.
Show this to your friends and family that don't know what a real hacker is
Verizon has been doing this for a while. I read the Terms of Service, Acceptable Use Policy, etc. every time they update it. It's clearly there, disguised as a 'feature' called DNS Assistance.
However, Verizon does have non-poisoned DNS servers which you can find in their Help pages, along with instructions for changing your machine's settings. http://netservices.verizon.net/portal/link/help/item&objId=23883
I noticed this yesterday and asked about it a DSL Reports and got some interesting replies like this one:
"I've recently noticed this as well. I use rogers DNS as a secondary dns and 4.2.2.1 as my primary. Either way 30 seconds after seeing this I got annoyed and in firefox 3 typed in...
"about:config" in the address bar, accepted the "This will void warranty" message and proceeded to type in "browser.search.search" into the filter bar
you should see "browser.search.searchEnginesURL" come up after typing it, all i did was replaced the default value to "www.google.com" and instantly every time i type something in it will goto google instead wooo!!!"
read more at - http://www.dslreports.com/forum/remark,20813296
They tried to get me to use their poisoned servers, and as soon as I found out (btw, they DO report nxdomain, along with their error handling servers), I went back to the old ones.
The poisoned ones were 68.237.161.12 (nsnyny01.verizon.net) and 71.250.0.12 (nsnwrk01.verizon.net), and the unpoisoned ones are 151.202.0.85 and 151.203.0.85.
-uso.
What you hear in the ear, preach from the rooftop Matthew 10.27b
I've had to do this, and it works. No annoying Verizon snatching my failed DNS lookups!
Of course, if you try to get this out of their so-called "tech support", they will not know what you're asking for until you manage to get down to tier 2 or 3 or so. Amazing as it sounds, teir-one Verizon Fios tech support will glaze over at the mere mention of DNS, and will stupidly keep trying to get you to do inane things with your browser.
Ruby Neural Evolution of Augmenting Topologies
Verizon's non-poisoned dns servers are vulnerable to the newly discovered dns vulnerability. Shout at them!
151.202.0.85 is POOR: 26 queries in 2.1 seconds from 22 ports with std dev 19.03
151.203.0.85 is POOR: 26 queries in 2.4 seconds from 22 ports with std dev 15.08
Check for your self using `dig porttest.dns-oarc.net. in txt`
That's the entire purpose of OpenDNS. Open is just a misdirection word they stuck in there to make themselves sound better than they are.
By what name do you wish to be mourned?
4.2.2.1
4.2.2.2
This is the best way:
on resolv.conf:
nameserver 4.2.2.1
nameserver 4.2.2.2
If you have a laptop or other device where you might use different connections, this is a good way to make sure your DNSs are not changed by different apps (I might connect using either wvdial or kppp, through EDGE/3G, or using KDE's wlan manager, simple DHCP on ethernet, etc)
Just set the immutable flag on your resolv.conf file:
chattr +i /etc/resolv.conf
If you want to make it writable again run:
chattr -i /etc/resolv.conf
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Worse.
$ dig +short porttest.dns-oarc.net TXT @4.2.2.1
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"209.244.7.40 is POOR: 26 queries in 2.0 seconds from 1 ports with std dev 0.00"
$ dig +short porttest.dns-oarc.net TXT @4.2.2.2
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"209.244.7.34 is POOR: 26 queries in 1.9 seconds from 1 ports with std dev 0.00"
Interested in open source engine management for your Subaru?
And my comment was moderated...
+1 Insightful
[Rimshot]
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 is the magic number.
http://www.opendns.com?
Evolution is a state-sponsored, state-protected religion.
This activity by Rogers is affecting the ability of corporate VPN connections to resolve internal addresses (those located behind their firewalls) leaving Rogers customers unable to access their company's systems.
the company i just left is using paxfire too. i kicked and screamed about it, but upper management only cares about the revenue that paxfire will share with the company. it's so wrong. i left 3 months ago after being there for 8 years.
opendns.com does the very mangling I want to avoid and calls it a feature. At least they tell you they are doing it, and use it for stuff that could benefit end users (filtering allowed site names) as well as their own advertising. But it doesn't solve the problem. It is just a more "open" and up front version of the problem.
Maybe I don't understand the complaint. I use OpenDNS and I don't see any advertising. (If you do see heavy advertising, I'd love to see a screen shot.) It's true you don't get the "404" error and you instead get a search page provided by them, but that's no different than telling your browser to search Google/Yahoo/MSM when an address can't be found. Only a few of us prefer the old 404 error and most want suggestions on where to link to. The advantage to OpenDNS is in having an account (I use the free one) and applying filtering to suite your needs.
I live in Charter territory and they too have setup their own DNS-fail page. You can opt out by going to some website of theirs and telling it to bugger off, but it requires cookies. If you wipe your cookies, you have to reset this. Their search results aren't very good and, since setting up OpenDNS on my router*, I've had better results. I've found that some types of common mistakes are auto-corrected (only if it can't find what you typed or clicked on), so the results have been very good. The users in my home only see my logo picture that I've uploaded and some relevant search results when they try to go to an invalid web address. Are some of these search results paying to be visible? Sure, just like Google, et. al. So what. I feel better with them because I control what happens with the 404 errors, not Charter. And, because there's a kid in the house, I can control the filtering. Just a side benefit.
As for they're being 'Open', I agree that the name is misleading due to the now common use of the word in computer culture. Where do they give us access to the code and how would we use it or implement it if we had it? However, they are open in that anybody can use the service for free.
Now, for the issue at hand, the ISP 'hijacking' DNS lookup errors, what is the real problem with this? A failed DNS lookup fires back the old 404. Used to be, that's exactly what we'd see. But browsers evolved and are now setup to use a search service (MS, Google, etc.). This is where the problem is with the ISPs performing this stunt. They are over-riding your personal settings. I don't think it has anything to do with DPI (as I read in someone else's comment) or even any invasion of privacy. I don't see any such conspiracy. The only Bad Thing® I see is that they ignore our personalized settings and force their setting upon us. So let's not jump up and down calling this something it isn't. We don't even need to since the real problem is bad enough a it is.
*You might not have access to do this to the router provided by your ISP, but you can hook up a router you do control to that one. Set it up to use DHCP, as you'd expect. It will, of course, get the standard IP/Gateway/Subnet/DNS info. But, since it's your router to control, you can now tell it what to assign to the computers attaching to it, including what DNS servers to use. In my case, I choose to use OpenDNS. You might choose something else that you have permission to use. I've had no failures in this at all and it seems Charter (Verizon, AT&T, whoever-ISP) can't 'fix' that.
I hope this comment is well received... I could have moderated instead!
Persecutors will be violated!
opendns.com does the very mangling I want to avoid and calls it a feature. At least they tell you they are doing it, and use it for stuff that could benefit end users (filtering allowed site names) as well as their own advertising. But it doesn't solve the problem. It is just a more "open" and up front version of the problem.
Just turn it off (feature called 'typo correction') and you have a rock solid/bug fixed open dns :)
have you been defaced today?
AdBlock gets rid of the Verizon "search" page.
Clickity, clickity, never see again.
I think the most annoying aspect is how we get used to leaving off the 'www' at the beginning of domains with Firefox, and Firefox adds it in for you if the non-www address fails to resolve. With this DNS hijacking this feature is broken.
Yeah, Paul's big on DNS "Alternatives". Not.
Hughes does this too now with their sat service. Never mind I use my own dns servers, their "transparent" web proxy does it's own dns and ignores the ones you use. Just for web.
That is, I can FTP to say, "free.tibet" but if I try for that web page I get a hughes/yahoo thing that says "did you mean..." (no, I did't you asswipe) Grrrrrrrrrr.
Vixie of course, invented the "transparent web proxy" to "get around" the "problem" of people using non-iana roots to get at web pages in alternative dns spaces about a decade ago. He was right smug about it at the time.
In 1994 Ted Rogers spoke at a conference in Toronto. He said what sounded to me like really stupid things about the net.
When he was done, he just left and didnt hang around.
The next speaker was Nick Negroponte whose first line was "It's a pity Mr. Rogers left because I'd like to have a chance to tell him everything he said was wrong."
It hasn't got any better. Rogers will screw you every step of ther way with every service they have from my perspective. Bail, kids, bail.
Need Mercedes parts ?
I use rogers and this just started the other day and has been freaking me out. After I calmed down and actually looked at the page it says you can "opt out" so I did. BUT it doesn't really opt you out they made a fake 404 page that is still on the rogers domain and they send you there. I only caught it because they copied exactly the IE 404 page and I am using a MAC and Safari so when it says my browser is IE it looked kind of funny. This is the same roger that everyone hates so much that apple cut the number of iphones that they sent to canada, or so I heard. Way to go Rogers, winning fans right and left.