Canadian ISP Hijacking DNS Lookup Errors

Freshly Exhumed tips us to news that Canadian ISP Rogers Cable appears to be redirecting invalid DNS requests to their own search and advertising page. Roadrunner got caught doing the same thing earlier this year. According to the article, "The hijacking appears to be an attempt by Rogers to use its Deep Packet Inspection (DPI) technology to cash in on the mistakes of its users." Freshly Exhumed also reminds us, "As IOActive security researcher Dan Kaminsky has warned in the past, this presents a very serious security problem."

Good Grief

[MightyMartian]

I know one problem it can cause is for a number of spam tests which look for the message coming from a legitimate domain. When the DNS server says "yup, that resolves" even when there's actually no domain, the test is defeated.

Re:Good Grief

[PunkOfLinux]

What the hell? Verizon is doing this now, too. Whenever I type in 'slashdot' in firefox, it just takes me to their useless search page, which is getting REALLY old now. I'm getting pretty disgusted now, and they should get it through their thick heads that if they're gonna charge us money for 'net access, they have NO right to make more money off of us by selling ads instead of allowing our browsers to function as expected.

Re:Good Grief

Verizon has been doing this for a while. I read the Terms of Service, Acceptable Use Policy, etc. every time they update it. It's clearly there, disguised as a 'feature' called DNS Assistance.

However, Verizon does have non-poisoned DNS servers which you can find in their Help pages, along with instructions for changing your machine's settings. http://netservices.verizon.net/portal/link/help/item&objId=23883

Re:Good Grief

[dosius]

They tried to get me to use their poisoned servers, and as soon as I found out (btw, they DO report nxdomain, along with their error handling servers), I went back to the old ones.

The poisoned ones were 68.237.161.12 (nsnyny01.verizon.net) and 71.250.0.12 (nsnwrk01.verizon.net), and the unpoisoned ones are 151.202.0.85 and 151.203.0.85.

-uso.

Re:Good Grief

[c_g_hills]

Verizon's non-poisoned dns servers are vulnerable to the newly discovered dns vulnerability. Shout at them!

151.202.0.85 is POOR: 26 queries in 2.1 seconds from 22 ports with std dev 19.03

151.203.0.85 is POOR: 26 queries in 2.4 seconds from 22 ports with std dev 15.08

Check for your self using `dig porttest.dns-oarc.net. in txt`

Re:Good Grief

[c_g_hills]

According to Paul Vixie, Level3 operators have said that they plan to restrict access to these servers in future to customers only, so make sure you have an alternative available!

Re:Good Grief

[davolfman]

To be honest I still think this thing is a bomb waiting to go off when it comes to anything outside the TLD's. In my mind if someone does this for say badmachine.slashdot.org they are pretty much guilty of criminal trespass, trademark violation, and/or fraud. Within the TLD space say www.badurltest.org where the typo isn't already someone else's claimed property they can pretty much do whatever they want, or whatever we let them.

Re:Good Grief

[woot+account]

That's the entire purpose of OpenDNS. Open is just a misdirection word they stuck in there to make themselves sound better than they are.

Re:Good Grief

4.2.2.1
4.2.2.2

Re:Good Grief

[bconway]

Worse.

$ dig +short porttest.dns-oarc.net TXT @4.2.2.1
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"209.244.7.40 is POOR: 26 queries in 2.0 seconds from 1 ports with std dev 0.00"

$ dig +short porttest.dns-oarc.net TXT @4.2.2.2
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"209.244.7.34 is POOR: 26 queries in 1.9 seconds from 1 ports with std dev 0.00"

Re:Good Grief

No string of characters is or can be property.

Really? Quick, tell the US Patent and Trademark office!

Re:Good Grief

[no1home]

Maybe I don't understand the complaint. I use OpenDNS and I don't see any advertising. (If you do see heavy advertising, I'd love to see a screen shot.) It's true you don't get the "404" error and you instead get a search page provided by them, but that's no different than telling your browser to search Google/Yahoo/MSM when an address can't be found. Only a few of us prefer the old 404 error and most want suggestions on where to link to. The advantage to OpenDNS is in having an account (I use the free one) and applying filtering to suite your needs.

I live in Charter territory and they too have setup their own DNS-fail page. You can opt out by going to some website of theirs and telling it to bugger off, but it requires cookies. If you wipe your cookies, you have to reset this. Their search results aren't very good and, since setting up OpenDNS on my router*, I've had better results. I've found that some types of common mistakes are auto-corrected (only if it can't find what you typed or clicked on), so the results have been very good. The users in my home only see my logo picture that I've uploaded and some relevant search results when they try to go to an invalid web address. Are some of these search results paying to be visible? Sure, just like Google, et. al. So what. I feel better with them because I control what happens with the 404 errors, not Charter. And, because there's a kid in the house, I can control the filtering. Just a side benefit.

As for they're being 'Open', I agree that the name is misleading due to the now common use of the word in computer culture. Where do they give us access to the code and how would we use it or implement it if we had it? However, they are open in that anybody can use the service for free.

Now, for the issue at hand, the ISP 'hijacking' DNS lookup errors, what is the real problem with this? A failed DNS lookup fires back the old 404. Used to be, that's exactly what we'd see. But browsers evolved and are now setup to use a search service (MS, Google, etc.). This is where the problem is with the ISPs performing this stunt. They are over-riding your personal settings. I don't think it has anything to do with DPI (as I read in someone else's comment) or even any invasion of privacy. I don't see any such conspiracy. The only Bad Thing® I see is that they ignore our personalized settings and force their setting upon us. So let's not jump up and down calling this something it isn't. We don't even need to since the real problem is bad enough a it is.

*You might not have access to do this to the router provided by your ISP, but you can hook up a router you do control to that one. Set it up to use DHCP, as you'd expect. It will, of course, get the standard IP/Gateway/Subnet/DNS info. But, since it's your router to control, you can now tell it what to assign to the computers attaching to it, including what DNS servers to use. In my case, I choose to use OpenDNS. You might choose something else that you have permission to use. I've had no failures in this at all and it seems Charter (Verizon, AT&T, whoever-ISP) can't 'fix' that.

Re:Good Grief

[Trailwalker]

AdBlock gets rid of the Verizon "search" page.

Clickity, clickity, never see again.

Re:Good Grief

[Curtman]

Maybe I don't understand the complaint. <snip> Only a few of us prefer the old 404 error and most want suggestions on where to link to.

I think the most annoying aspect is how we get used to leaving off the 'www' at the beginning of domains with Firefox, and Firefox adds it in for you if the non-www address fails to resolve. With this DNS hijacking this feature is broken.

Re:Good Grief

[rs79]

Yeah, Paul's big on DNS "Alternatives". Not.

Hughes does this too now with their sat service. Never mind I use my own dns servers, their "transparent" web proxy does it's own dns and ignores the ones you use. Just for web.

That is, I can FTP to say, "free.tibet" but if I try for that web page I get a hughes/yahoo thing that says "did you mean..." (no, I did't you asswipe) Grrrrrrrrrr.

Vixie of course, invented the "transparent web proxy" to "get around" the "problem" of people using non-iana roots to get at web pages in alternative dns spaces about a decade ago. He was right smug about it at the time.

In 1994 Ted Rogers spoke at a conference in Toronto. He said what sounded to me like really stupid things about the net.

When he was done, he just left and didnt hang around.

The next speaker was Nick Negroponte whose first line was "It's a pity Mr. Rogers left because I'd like to have a chance to tell him everything he said was wrong."

It hasn't got any better. Rogers will screw you every step of ther way with every service they have from my perspective. Bail, kids, bail.

Hijack? Rogers ?

[carlvlad]

aaaa'rrrr!

Well I'll be...

[Shabbs]

This must be brand new. I did a test just now and a bad URL sends you here:

http://www20.search.rogers.com/search?

With appropriate variables substituted for what you were typing of course, like this:

Enter: http://www.rogersblowz.com and you get:

http://www20.search.rogers.com/search?qo=www.rogersblowz.com&rn=mEelOh0JrKFZejZ

Let the debate rage on!!!

Re:Well I'll be...

[Holmwood]

Worse than this even. I've been redirected to Rogers Search pages, replete with advertising, for domains that I know exist, and that I know have been entered correctly (e.g. via a bookmark).

It used to happen a lot with http://ragnartornquist.com/ (Tornquist is a senior game designer for Funcom). Granted that's a tough name to spell properly for a North American, but since I'd click on a bookmarked link, or a google page, I was sure it wasn't a problem with my typing.

What started to give it away as being something at Rogers (rather than my computer infected with malware) was that this was happening on every device I connected to the net -- Lynx on BSD, Safari on Apple, Opera on Maemo, Iceweasel on Ubuntu, and, of course, Firefox/IE/Opera on Windows.

(Yeah, I have a lot of different OS's sitting around!)

For a while I then became convinced my router had been compromised, but even switching routers didn't fix it.

Concluding it was unlikely that five different OSes and myriad different browsers had all been compromised, as well as two different routers, I contacted Rogers.

They said they were experimenting with "Software Improvements" and that the problem should go away for existing domains.

Well, using a proxy fixed it for me. But not a pleasant solution.

Software Improvements.

And the problem did go away for me at least. But I wonder if anyone else is being redirected to Rogers garbage pages for domains which exist.

Holmwood.

Re:Well I'll be...

[KGIII]

Granted that's a tough name to spell properly for a North American, but since I'd click on a bookmarked link, or a google page, I was sure it wasn't a problem with my typing.

'Snot very nice of you to insult North Americans so openly and to make such broad sweeping strokes about the intellectual capacity of North Americans.

Ah well. I think you might be right though.

easy solution

[FudRucker]

http://www.opendns.com/

basically it is remove your ISP's dns#s and add these

208.67.222.222
208.67.220.220

Re:easy solution

[v1]

so, how long before your ISP starts blocking use of DNS servers other than their own?

Re:easy solution

[tgx]

no, they're doing the exact same thing.
they're redirecting invalid requests to
http://guide.opendns.com/?url=%5Burl.here%5D

$ host aoeuidhtns.com
Host aoeuidhtns.com not found: 3(NXDOMAIN)

$ host aoeuidhtns.com 208.67.222.222
aoeuidhtns.com has address 208.69.34.132

Re:easy solution

[Shabbs]

Funny thing is that OpenDNS also re-directs bad URLs to their search page. So really, how much better is it? ;)

Re:easy solution

already happening here in italy... both the ads on false page and i can not use opendns nor OpenRootServerNetvork

Re:easy solution

[deraj123]

For all those responding to your post that OpenDNS does the same thing. I am currently using OpenDNS, and it is working exactly as I would like, with no invalid responses, no ad-search type pages, etc.

If you sign up for an account (free) with OpenDNS, they give you a dashboard where you can configure how you want them to respond to certain types of requests. If you turn ALL of the options OFF, then their DNS service acts exactly as it should, with no hijacking of your requests. (for awhile, you couldn't turn off the google redirect issue, but they've even added an option for that now...)

Re:easy solution

[antdude]

That's great if you have more than one ISPs. For me, cable is the only broadband ISP. If I want others, then I have to go back to dialup!

Re:easy solution

[TealShark]

... which you can manually stop them from doing by disabling typo corrections in settings.

Re:easy solution

[jcam2]

Worse still, they were (and maybe still are) redirecting lookups for google.com to their own servers .. and I'm pretty sure that Google isn't often down.

Re:easy solution

[davidu]

1) Our DNS is more secure. This has been shown by third parties now numerous times.
2) Our DNS is faster.
3) Our DNS lets you block out responses you don't want.
4) Our DNS lets you turn off the search result pages, though most organizations like them and customize them.
5) Our DNS has a complete dashboard of stats and settings and is 100% opt-in. If you don't like it, don't use it (but nearly everyone who tries it likes it).

Comparing us to Rogers is like apples and oranges.

-David

Re:easy solution

[davidu]

I am the founder of both companies. :-)

Re:easy solution

[darrenkw]

Right, however, if you sign up for an account you can turn that off for your router.

Re:easy solution

[MrZaius]

Funny thing is that OpenDNS also re-directs bad URLs to their search page. So really, how much better is it? ;)

Add to that the fact that they're also redirecting Google's traffic to themselves.

Plus, to add insult to injury, they don't offer "unpoisoned" servers like some ISPs mentioned above. They use your desire to not put up with this nonsense as an excuse to force users to register their names, IP addresses, etc and, if DHCP users, run ddclient or some equivalent. OpenDNS opens up some very, very serious privacy concerns, at this point in the game.

I for one will be setting up my own DNS server tonight. Enough, already.

Ignore their servers

[surmak]

If the ISP is messing with the DNS service, the best thing to do is to use a different service.

For Linux/Unix users, you can just run a caching-only server on the desktop system, and it will issue its own name requests from the root on down. I've been doing a slightly more complex version of this at home for VPN purposes. (Forward requests to my employer's net to the private internal DNS server (through the VPN), while querying the public internet for all other servers.)

I don't know it a similar option is available for Windows users w/o shelling out big bucks, but it is technically feasible

If you cannot run a caching-only server, another option is to use a third-party DNS server. The only problem here is that it would not be automagically configured by DHCP, and would have to be manually set up.

What would be the danger...

This type of behavior is wrong on so many levels so I wonder what would be the danger of having ICANN police this type of behavior? It seems that ISPs are doing more and more to circumvent "standards" for their own gain. Would it be too much to ask ICANN to come up with a set of rules that ALL ISPs must adhere to or risk losing their netblock? I'm not even sure ICANN would do anything but I'm just posing the question.

How annoying

My ISP has been doing the same thing for a while now. It fucks with the stored history in my browser. I make a mistake and every time I'm typing in the correct URL later, my mistake is shown as an option from my history.

My ISP is the American ISP Charter. When I type in a bad url, I get a search page like this.

Noticed this yesterday too

[greatclare]

I noticed this yesterday and asked about it a DSL Reports and got some interesting replies like this one:
"I've recently noticed this as well. I use rogers DNS as a secondary dns and 4.2.2.1 as my primary. Either way 30 seconds after seeing this I got annoyed and in firefox 3 typed in...
"about:config" in the address bar, accepted the "This will void warranty" message and proceeded to type in "browser.search.search" into the filter bar
you should see "browser.search.searchEnginesURL" come up after typing it, all i did was replaced the default value to "www.google.com" and instantly every time i type something in it will goto google instead wooo!!!"
read more at - http://www.dslreports.com/forum/remark,20813296

Been done before

EarthLink has been doing this for years. They have a workaround using "unsupported" servers that maintains real DNS behavior.

http://blogs.earthlink.net/2006/09/more_info_on_dead_domain_handl.php

Fantastic.

[fuzzyfuzzyfungus]

Let me guess... They either already have, or soon will in a pitiful pretense of response to criticism, offer some sort of insanely weak opt-out mechanism.

I'm guessing one of two things:
Manually configure alternate DNS servers on a per device basis(a la Verizon's current setup, may they be thrice cursed)
or:
Something involving cookies, a la Phorm and friends.

For things like this, opt-out just isn't good enough.

Re:Fantastic.

[fuzzyfuzzyfungus]

Oh, I agree, this one isn't hard to dodge, if one has even a modicum of skill; and I doubt that it ever will be harder than that, since the ISP probably doesn't make all that much money, per user, on this and thus has fairly limited motivation to piss enough people off to spark scrutiny, or even just spend money tightening the noose.

That said, I think that this one is a good example of the unpleasant fact that control doesn't actually have to be very good in order to have its effect(great firewall is perhaps the iconic example). This only gets worse when you consider that any given individual faces dozens to hundreds of impositions of this flavor, each requiring just a little bit of some flavor of knowledge and attention(different ones in different places, though. This one needs a dash of DNS-foo, something inscrutable involving credit cards will require a dash of knowledge of credit law tomorrow, the day after that it'll be something from the phone company about subscriber private information, and so on and so forth). In each individual case, there is arguably a decision being made; but the overall effect is a pretty sad mockery of the notion of choice.

PaxFire

[Effugas]

[This is Dan Kaminsky]

I took a look at what Rogers is doing. They're using PaxFire, who indeed was directly vulnerable to the attacks I described at Toorcon a few months ago. PaxFire fixed their stuff up, but yes, the security of the web at Rogers is limited to the security of those ad servers at PaxFire.

The Verizon Annoyance...

[flajann]

You can "opt out" of the Verizon annoyance by modifying your DNS address by adding "2" to the last octet.

I've had to do this, and it works. No annoying Verizon snatching my failed DNS lookups!

Of course, if you try to get this out of their so-called "tech support", they will not know what you're asking for until you manage to get down to tier 2 or 3 or so. Amazing as it sounds, teir-one Verizon Fios tech support will glaze over at the mere mention of DNS, and will stupidly keep trying to get you to do inane things with your browser.

Re:The Verizon Annoyance...

[code65536]

Unfortunately, this is possible only for their PPPoE users. Customers outside of their northeast service area don't use PPPoE, and it's not possible to change the DNS servers in these non-PPPoE cases with the routers supplied by Verizon. >:(

Add Insight to the list

[sokoban]

I guess the thought with the ISP's nowadays is that "everybody else is doing it, why can't we?"

Re:Add Insight to the list

[sokoban]

And my comment was moderated...

+1 Insightful

[Rimshot]

Just change DNS Servers.

[GNUALMAFUERTE]

This is the best way:

on resolv.conf:

nameserver 4.2.2.1
nameserver 4.2.2.2

If you have a laptop or other device where you might use different connections, this is a good way to make sure your DNSs are not changed by different apps (I might connect using either wvdial or kppp, through EDGE/3G, or using KDE's wlan manager, simple DHCP on ethernet, etc)

Just set the immutable flag on your resolv.conf file:

chattr +i /etc/resolv.conf

If you want to make it writable again run:

chattr -i /etc/resolv.conf

Re:Just change DNS Servers.

[mysidia]

It is not recommended to set immutable bit, as it causes issues in various situations (like restoring /etc from a backup). Failure to write to an immutable file is an API issue unique to Linux boxes that use ext2fs or ext3fs.. Systems that run ReiserFS, XFS, or jfs, don't have this bug.

Future versions of DHCPD/Ifplug, or the C library, may very well properly detect the 'immutable' bit and clear it, before writing, then re-set the bit after finishing.

Just like they do if you're root and try to write to a file that exists with mode 444.

Essentially, immutable bit was historically a half-baked feature intended to be used with 'securelevel'.

The concept is you are able to mark important system files immutable, and then raise the securelevel. Once the securelevel is raised, the filesystem will not allow important system to be changed without booting in single user mode.

The removal of securelevel from the kernel in 2.4.x likely means that the days of the 'immutable' bit are numbered as well. Some day you may upgrade your kernel, and be surprised to find out immutable doesn't do anything anymore.

The reliable way to turn off gathering of DNS settings from DHCP is to use distro-specific instructions.

For example, in Redhat-based distros you edit /etc/sysconfig/network and specify "PEERDNS=no"

Of course, now that you understand the risk that the immutable bit may stop working for you unexpectedly later, you can go ahead and try setting it anyways... because it's easy, and simpler than configuring your network software the right way.

Re:Run your own

[superphreak]

http://www.opendns.com?

Re:Run your own

[CustomDesigned]

opendns.com does the very mangling I want to avoid and calls it a feature. At least they tell you they are doing it, and use it for stuff that could benefit end users (filtering allowed site names) as well as their own advertising. But it doesn't solve the problem. It is just a more "open" and up front version of the problem.

Re:Run your own

[m0i]

opendns.com does the very mangling I want to avoid and calls it a feature. At least they tell you they are doing it, and use it for stuff that could benefit end users (filtering allowed site names) as well as their own advertising. But it doesn't solve the problem. It is just a more "open" and up front version of the problem.

Just turn it off (feature called 'typo correction') and you have a rock solid/bug fixed open dns :)

Re:Rogers are Scum

[s7uar7]

I'd switch back if I was you, they seem so be replacing proportional fonts with fixed-width.

Solution

[Cassini2]

At the risk of replying to my own question, if you are running DNSMasq on your router, you can use the command:

bogus-nxdomain=64.94.110.11

To block any given IP address, and thus override Rogers override. This works to prevent Rogers from displaying its search page, no matter what URL you enter.