Slashdot Mirror
New Jersey's Cablevision Hijacks DNS Error Pages
Selikoff writes "I just noticed Cablevision's Optimum Online service has begun hijacking DNS Error pages with, you guessed it, ad-supported results. Aside from hurting the underlying stability of the Internet, there have been instances where hackers have used such tools against customers. I know Road Runner customers have had to deal with this for a couple months now, although at least they have an outlet to turn it off." Update: 09/30 13:18 GMT by T : Note, as several readers have pointed out, this hijacking is of DNS errors rather than 404 errors as originally presented.
Even on slashdot, we have people who don't know a DNS error (and yes, TFA gets it right) from a 404 (which can't be hijacked without modifying the stream itself)
I was actually scared that they were doing DPI for a minute, then I realized the OP just didn't know what they're talking about.
They probably use a transparent web proxy between the user PC and the web server.
When the web server sends a standard 404 error page, it goes via the proxy which puts its page in place of it.
Gentoo Linux - another day, another USE flag.
The Cablevision and Road Runner services both only hijack DNS no-such-domain errors, not HTTP 404s. Neither is a good thing, but hijacking DNS is much less insidious than the deep-packet inspection or mandatory proxying required to hijack 404 errors.
This sig is certified free of self-referential humour!
New Jersey's Cablevision Hijacks 404 Error Pages
No, they didn't.
If the submitter had read the summary, they would know that it's DNS errors that are being hijacked, not 404s.
It's an important difference - 404 means that they are transparently proxying your connections, which can cause problems with various sites (and that they are recording every URL you visit.)
For example: http://slashdot.org/akasjdflkasdjfl;kajsdl;aksdjfkdjkfdjlkjsdf would not be affected by this, whereas http://sslashhdot.org/ would.
Is it *too* much to ask that a technical news site present technical articles correctly?
It's not a 404 page that's getting hijacked. It's DNS resolution failures.
It's a pretty big difference.
What exactly does "Hijacks 404 Error Pages" mean? Does it mean error pages were hijacked 404 times? It certainly does not mean what the headline implied (to me). Even a cursory glance at TFA makes that clear.
How about the editors actually read the article and correct glaring mistakes for a change? Even before this made it out of the Firehose, there were responses that it was DNS failures and not 404 messages.
The blue screen of russian women 4 U? BSORW4U!
or
Buy Vi4GR@ now! By the way: Syntax error.
"Kill 'em all and let Root sort 'em out"
Don't use your ISP's DNS servers.
Find another public server or run your own.
Corrrect me if i'm wrong but the domain does not exist error page isn't a 404 error right? I thought 404 was the error for when a web server couldn't find the page you requested for it, not for the dns error.
when i first read TFS I thought, wth? what if i have a custom 404 page on my website?
I actually had to RTFA to figure out if they were honest to god hijacking web servers 404 pages.
thankfully it seems they are not.
They're returning adverts for failed DNS lookups, not 404 pages, as others have helpfully pointed out.
How about a script that hammers suitably random fake domain names continuously (different ones every time)? If the scammers^W advertisers are paying per impression this will majorly hurt their pockets.
http://www.optimum.net/DNSRedirect/DoOptOut
We started seeing this with Charter in the midwest. Not the 404 errors, but with invalid domain names. The biggest problem for us has been with our VPN software. When our employees are working from home, Charter always returns a valid IP for our internal DNS zones so the DNS lookups are never forwarded over the VPN.
I hope their additional advertising revenue makes up for the lost customers.
ÕÕ
I just redirected my DNS queries to OpenDNS, mostly because of the content/phishing filtering they offer but also some of the statistics on my connection. They make their money, or propose to, by doing this very thing... redirecting Domain Not Found error messages to ad supported pages.
This post brought to you by your friendly neighborhood MBA.
I'm glad someone pointed this out.
I opted out of roadrunner's "feature" and I just opted out of this new cablevision "feature".
Why can't these companies leave well-enough alone? I pay for this internet connection- I don't see why they need to skim extra money off the top with advertising revenue.
Pfft. As if it wasn't enough that network advertisements on Fox take up 25% of the screen when I'm watching House!
The DNS error hijacking, that is. I was going to consider switching to Charter, but I see someone has posted that they've started doing this as well.
Are there any free DNS services out there that happily return valid results instead of redirecting you?
I'm not sure if they've stopped, but it was a fucking disaster for us. My company's sites and our self-hosted DNS are colo-ed with frontier, and they had a network failure not too long ago. When people tried to get to our sites, they were redirected to their crap search page. Seriously, EPIC FAIL! That wasn't acceptable at all.
This sort of behavior just isn't okay anywhere... some business people really should be bonked on the head for implementing this anywhere.
"Why should I be content to simply live in this world, when I, as a human being, can CREATE it?" - Oertel
Sorry about the 404/DNS mistake, I tried correcting it shortly after submitting the story but the Firehose missed my comment!
I love it when an editor or story writer makes a technical error on /. You can actually hear the simultaneous erections of a thousand anal-retentive techies, each typing as fast as they can without even bothering to check if their fellow anal-retentives hadn't already pointed the same thing out in dozens of posts. It's the best sexual gratification most of them are going to get all day.
SJW: Someone who has run out of real oppression, and has to fake it.
See my post above and the others below. They are not hijacking 404s. They are hijacking DNS errors, same as earthlink et al have been doing forever.
Hey, let's not be too quick to judge here. Sometimes I do look for sex entertainment phentermine college click here now rolex and I'm glad at least one ISP understands that.
http://www.opendns.com/
However this does not solve it for less technical people as they would have no idea what is going on, would have no idea how to solve it and perhaps have not even a clue that there is a problem and that they typed in something wrong.
If I were looking for nekid ladies, this might be help full. If I try to contact my bank it isn't. It could even be dangerous if things I were looking for is something similar to what I get presented as advertisement.
Don't fight for your country, if your country does not fight for you.
This is no different than if Burger King squatted the domain for McDonadls.com (see the typo) and sent traffic to their site instead.
Here's one way to tackle this. If I'm a local business owner in an area served by Cablevision, I would complain to the local utility commission to have Cablevision's franchise dissolved and then file suit against Cablevision if someone tried to go to my company's web site, misspelled the name by one letter and was referred to my competitors through their advertising system.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
How can this hurt the underlying stability of the internet??
Aside from hurting the underlying stability of the Internet, there have been instances where hackers have used such tools against customers.
Yet the page linked in the above statement just details how a security researcher came up with a proof of concept that was specific to a different companies implementation of the same idea.
I dont read
If they hijack my request for a text-only site, and I pay for bandwidth or overuse, do I pay for the graphical ads they attack me with?
I think this question alone is enough cause to call any such modification/hijacking illegal.
dnsmasq has an option to reverse the effect of this sort of thing.
It runs nicely on OpenWRT.
Or you could use maradns instead, and avoid all present and future problems with your ISP's caching DNS servers..
Quite simple: run a mailserver, then use these type of DNS servers. In a few days, you'll have so much mail that doesn't get accepted by xxx.xxx.xxx.xxx (your provider's DNS) that it might fill your storage. Then 7 days later (instead of a few hours later) the e-mail gets sent back with the message that the other server doesn't accept the mail (instead of saying that the domain doesn't exist) after being retried hundreds of times eating up valuable bandwidth and processing time. Then if your end-user isn't smart enough, he'll retry sending it, not noticing he has a typo in his address book, because after all, the other e-mail server DOES exist.
Custom electronics and digital signage for your business: www.evcircuits.com
My employer's ISP (that is - the one that provides service to our office, as opposed to that which has our telehoused machines), a company called Tiscali do this.
This is fairly ironic. We're a domain registry, and we make most of our income on non-existent DNS names, via simple parking pages. You do understand parking don't you?
Dot TK - Renaming the Internet
... and today's pet project has
Rogers Cable high-speed internet has been doing that for the past couple months now too. URL typos get redirected to their own search.rogers.yahoo.com or something like that, disabling toolbar search functions in browsers.
The kicker is that I also think they're actively blocking access to other search engines periodically in order to increase usage of their own. www.Google.com will sometimes time-out while trying to load, but works fine when accessed through Dogpile meta-search.
Since I've moved off of Rogers already, I can't do more experiments to test, but if anyone else is on it, I suggest you keep an eye out.
Easy solution, use OpenDNS.
Oh wait, they also do that.
80 CC D8 AF AE D3 AB 54 B7 2E CE 67 C7
Do you have any idea the number of tech calls 404 pages generate. A lot.
So those that this bothers use 4.2.2.2 or set up your own DNS server. To the rest of those a page saying your site was not found and some alternate links is probably a good idea.
But hey that's my 2 cents worth I could be wrong.
Glen
Linux modi 2.6.26-2-parisc
Um... you /do/ realize that openDNS does the exact same thing, don't you?
Okay, just checking.
i think this is the third story on an ISP catching DNS errors :-(. Even the follow-ups seem to be similar.
Personally, my only surprise was when i learned how much money an ISP can make by selling Ads on error landing pages.
Regards, Martin
Earthlink does this in Houston. It has caused me lots of problems with VPN.
A lot of ISPs do this. Many of them recommend simply finding a new DNS host, others provide an option to turn it off (eg. Road Runner, the only broadband ISP in my area)
We don't have many decent alternatives here in Canada. It's either Bell or Rogers. You could pick a small ISP of course, but you'd still be using Bell or Rogers because the two of them rent the bandwidth to all the rest (leaving you stuck with all the same problems as before, such as traffic shaping).
But, I guess if you live out west you'll have the third option of Telus, who isn't much better than Bell or Rogers.
The problem is that there is no reason to assume that just because a machine is making a DNS query it intends opening a TCP connection to port 80 (or 443).
Even if the hostname starts with www ?
And, the reverse that others have mentioned.
If you use a DNS blocking list (DNSBL) for e-mail, you will stop receiving any e-mail, because every lookup will always return a "found", and DNSBLs work by returning NXDOMAIN if the site isn't listed, and returning an IP address if it is.
I know that my DSL provider, Cavalier Telephone has been doing this for years. I called their technical support, and of course they had no idea what I was talking about. After emailing one of their tech guys, they suggested I set my computer to use someone else's DNS. IMHO, this is a network neutrality violation and the FCC should be investigating this. I said that much in my thank-you letter for their ruling against Comcast.
It would not surprise me to find out that this is becoming the norm, rather than the exception.
I had this happen once. I use my own DNS server, but I had just moved and was trying to get my new connection up and running. I had typo'd a few things and it kept taking me to these type of adpages. It certainly put me in a bit of a panic thinking I had somehow picked up a browser hijack (very disturbing since the initial box I noticed it on was a Linux box). After some tinkering I realized that all of the typos were resolving to the same IP and only when my ISPs DNS servers were involved.
I am actually not entirely convinced that it was my ISPs DNS servers specifically doing it and not someone upstream of them. They are a small very knowledgable and geeky ISP and are very *nix friendly so I would be a tad surprised by that kind of behavior. (I called once asking for my static IP to be reversed to my own domain expecting a big hastle and a "no" and they did it without batting an eye.)
The only change I can believe in is what I find in my couch cushions.
they first couple of levels of support people in these ISP's do not know networking is and/or are forced to read from scripts. It can take hours to get to the level of support where they not only know what you are talking about but can also throw the switch to turn off the DNS hijacking.
So having a switch is still not easy when you can't just go to your settings page and turn it off yourself.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
This is one of the very reasons I started using OpenDNS, beside the fact it can filter out other garbage.
http://www.opendns.com/
Earthlink also uses a DNS error spam page rather than a real DNS not found error. Very, very lame.
They do have a (little known) method for bypassing this, details here:
http://kb.earthlink.net/case.asp?article=187117
Basically they give you the IP of a non-fucked DNS server, which you can then program into your router, computer etc.
Tired of Political Trolls? Opt Out!
Internet Explorer does a very similar thing. We all know how to get around it. Whats your point?
This Should be able to fix it. I learned of Open DNS when I was at school and had to deal with routine DNS Server issues. Nobody would be able to do anything of much use online but I noticed that services I was already connected to would work without a problem. It turned out the DNS server's would go down fairly often.
I have road runner service and would really like to turn those damn pages off. Any tips on how to do so would be much appreciated.
Verizon (now FairPoint Communications in these parts) does it too. http://wwwwz.websearch.verizon.net/search?qo=blahblahblah&rn=S6ORMW8T2m7rGJi&rg= That's where you end up if you try to go to an invalid domain name. (Replace 'blahblahblah' with whatever)
Friend: "The NIC is misconfigured..." Me: "No prob, I'll just telnet in and fix it." *Silence*
Rogers in Canada is one who does that, then forges a search page for your convenience (;-))
Worse, they do the same for many valid .ca and .org sites.
--dave
davecb@spamcop.net
There is another alternative to OpenDNS called the Cesidian Root.They have a free DNS service and no hijacking or funny business.Also, you'll be able to access more names than a standard ISP provided DNS service.
Check them out here http://cesidianroot.net/
"I'd rather have a bottle in front of me than have to have a frontal lobotomy."
they would know that it's DNS errors that are being hijacked, not 404s.
Don't use their terminology. They're not DNS errors, they're a class of DNS responses.
Calling them errors helps Cablevision support their practices.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Presumably on a PC with Internet Explorer, it looks just like the regular page does, which makes me wonder why they'd even bother to do it in the first place. I don't see any ads nor any information that's any more helpful than the default error page for IE.
Did they only do that specifically so that it would screw up DNS lookups? For laughs? Were they bored one day?
http://search.suddenlink.net/prefs.php
While i love FIOS's service (that is until the day they decide to cap/throttle and fuck over the customer)...
Verizon is doing this as well on FIOS. Everytime you put in a bad address in a browser window, Verizon's google like page shows up suggesting things.
This kind of scares me. I'm not sure how far they will take this idea. What if they start filtering domains from users so they cant get to them, and suggest others... or perhaps an ISP's own service or partner service? That sounds scary.
Kaminsky demonstrated the vulnerability by finding a way to insert a YouTube video from 80s pop star Rick Astley into Facebook and PayPal domains.
Ryan, Ryan, old buddy, old pal... Haven't you ever heard of the term rickroll?!?!?! Even an old fuddy-duddy such as myself, is familiar with the concept. Here's a Wikipedia entry to get you started: http://en.wikipedia.org/wiki/Rickrolling. Please study up before writing your next Wired article. There will be a pop quiz.
I have the same problems, but it normally appears when I try and go to a site by just typing part of the URL into Firefox and expecting it to find the rest. Really need to change ISP... and luckily I live in a country where that's feasible.
1. Register Domain name but point it nowhere
2. Copyright said domain name
3. Sue ISP for Copyright infringement, for them displaying THEIR content using YOUR copyrighted name instead of your registered non-content
4. Profit!
Support TBI Research: http://www.raisinhope.org
http://redirect.uscable.net/index.php?origURL=http://badlinkherea.com/ Ad supported garbage. "Website Suggestions" Powered by Yahoo search.
broadbandsupport.net nameservers are also doing this. I thought I had malware when I accidentally typed updates.microsoft.com (it's only cingular update.microsoft.com) and it redirected me to an information.com site.
Took some digging to figure out WTF. After that I switched to opendns. At least I get some phishiing/adware blocking with my advertisements for url errors.
It's broken DNS to make money off typos without having to domain squat. Hell they can squat a non existent record on an already purchased domain. It is also completely opt-in. You can even brand your error page with a jpg image of your own.
DNS purists need not apply. It does allow for some screwing around on their part if they wanted to. It also prevents you from resolving fastflux.uberhackers.net. However content filtering does requiring proxy-ing of your connection for some sites ostensibly for some security reason.
You get what you pay for... Try opendns, dyndns. I've been a happy customer of the latter for years. It makse a slow IPS fly, just by eliminating an ISP's DNS bottleneck, which is too tempting for Marketing. I also use private DNS on the road; it helps with hotel/airport ISPs as well.
Quite simple: run a mailserver, then use these type of DNS servers.
No thanks :)
Then 7 days later (instead of a few hours later) the e-mail gets sent back with the message that the other server doesn't accept the mail (instead of saying that the domain doesn't exist)
Why? Surely the sending mail server should first query the MX record for the domain it wants to send to and then do an A record lookup on the name of the machine this returns. Do they spoof MX records as well as there seems very little point in doing this to show people a pretty web page. If they are spoofing MX records this is far more annoying but I have not found any evidence that this is so. If you have some can you post the links?
As an aside this sort of DNS spoofing (A and AAAA records only) can be really useful. We used to a use a similar method to spoof doubleclick and similar ad sites so they could not track any users from within our network in a community project I was involved in. It mapped all DNS requests for known ad farm sites to a local machine that just served up a picture of spam to all requests. This also saved us bandwidth back in the days when this was at premium as we were only on an 64K ISDN connection. We also provided a non-spoofing DNS server to people who asked us but most people were happy at not having to wait for adverts on a page to load from a remote server.
I dont read
Yes, www doesn't mean anything.
So here's another more sophisticated heuristic: On a residential Internet connection, a DNS request for nonexistent something.or.other followed within three seconds by a request from the same IP for www.something.or.other is more likely than not a web browser trying to resolve a hand-keyed hostname.
I live in Sao Paulo, Brazil, and some ISPs here also hijack failed DNS queries. The main problem with that behaviour is that not all internet traffic is HTTP. For example, if you are trying an SSH connection and you input an invalid domain, you don't get the "no dns entry" response, but a valid IP address - which is not the one you're looking for, and that probably won't accept your connection. You won't get a "no dns entry" error, but a "server actively refused the connection", which is incorrect and might cause you to lose an hour or two trying to figure out what is wrong: a simple misspell. Or even worse: the server might even accept your connection and give you an authentication error. Internet service protocols exist for a reason. Simply ignoring them to "help users" will actually do much more harm than good.
Missed this when it was posted, but NY is now also affected. I've called repeatedly and spread the word to opt-out. Posted on my blog as well: http://ineedattention.com/technology/computers/2008/10/03/optimum-online-offering-dns-hijacking-service/ We can't let them get away with this.
Does anyone know if along with their redirect they are also blocking DNS quires to the root servers? I am running BIND 9 in my house and using that for all my DNS queries. I was away last week traveling and when I returned my DNS server couldn't query any of the root servers. The server isn't exposed to the Internet but is strictly used internally to support Kerberos running on the same box. It would really blow if they've also put a stranglehold on local DNS servers. Why in the hell would they do something like that? Anyone else experiencing this?
RFC 2821 sec. 5 clearly states that:
SMTP clients must look up for an MX record;
if no MX record for domain is present, look up for an A RR record, and if such record is present, treat is as an MX record;
if an MX record is present, clients MUST NOT use an A RR record.
Custom electronics and digital signage for your business: www.evcircuits.com