Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dealing With ISPs That Use NXDomain Redirection?

Posted by timothy on from the looking-at-you-charter dept.

Vrtigo1 writes "I work for a small company that has about 50 staff on the road relying on VPN back to our office at any given time. Many ISPs have implemented NXDomain redirection services that hijack DNS traffic to show you sponsored links and other related ads when you mistype a domain name. These services are incompatible with most VPN software, since they prevent the computer from resolving internal hostnames. Large ISPs typically provide an opt-out on their sponsored links page that immediately opts you out of the DNS redirection, but I've noticed that some smaller ISPs and CLECs have opt-out links that don't actually appear to do anything. I don't have a good solution for employees using these ISPs, and our employees are getting frustrated because the problem is becoming more prevalent and we can't fix it for them. I've tried calling a few of these smaller ISPs for help, but it's been like talking to a wall. Manually changing DNS servers works temporarily, but the user can't resolve internal hostnames when they connect to the office LAN again. Have you had to deal with ISPs using non-standard DNS servers? What is your solution?"

48 of 264 comments (clear)

  1. This is an easy one. by snarfies · · Score: 4, Insightful

    If the small local ISP is screwing up, and refuses to respond in any useful way despite your best repeated efforts, it sounds like its time to take your business elsewhere, maybe to one of those large ISPs you mentioned. And make sure you tell them WHY. Who know, maybe the threat alone will be enough to get them to make a sudden change in policy for you, with a month or two of free service to boot.

    1. Re:This is an easy one. by internerdj · · Score: 4, Insightful

      This guy sounds like a manager or IT worker who is having problems with his employees connecting to the work VPN. He isn't the one paying the bill(directly at least), so he doesn't even have the clout of a paying customer...

    2. Re:This is an easy one. by TheLink · · Score: 5, Insightful

      Actually, the VPN config is insecure (screwed up?) - when you are using the VPN the DNS requests should be going through the VPN tunnel, and not in plaintext to the ISP.

      --
    3. Re:This is an easy one. by hey · · Score: 2, Informative

      Good point. They should thank the ISP for this alert.

    4. Re:This is an easy one. by IceCreamGuy · · Score: 4, Informative
      You are referring to what is known as "Split Tunneling;" which is a legitimate, albeit less secure, VPN configuration. Basically when split tunneling is enabled the client workstation's default gateway is still it's local gateway and DNS requests get routed by the client to the appropriate DNS server, whereas in a non-split tunnel the default gateway is the remote gateway (which obviously has no way of routing to the local network) and all DNS requests go encrypted through that. There are several reasons someone would want to do this:
      • You need people to access their local printers/network resources and don't have some kind of pass-through ability
      • You have limited bandwidth at your remote site and cannot handle the Internet usage that would be NATed through
      • Your gateway does not support NAT on VPN tunnels and your clients need Internet access
      • You don't realize what you're doing

      Either way, what I do when I have some kind of weird situation where a user needs to change their TCP/IP config routinely is just put a couple shortcuts with pretty icons on their desktop that point to batch scripts that run a netsh script. You should be able to completely change an IP configuration on a Windows box with this utility, the user just runs "home.bat" when they're home and then "office.bat" when in the office. A Google for "netsh exec" should give enough info to get started.

  2. Provide your own DNS? by QuantumRiff · · Score: 5, Informative

    Last time I setup a VPN, was with a Cisco PIX firewall, (its been awhile) but there was a spot to specify which DNS servers to use when connected to the VPN. I had specified that when connected, they would use our DNS, since they otherwise couldn't resolve \\file-server\share or whatever..

    --

    What are we going to do tonight Brain?
    1. Re:Provide your own DNS? by nine-times · · Score: 5, Informative

      Yeah, honestly I'm a little confused by the question. If you want to use DNS to connect to internal servers via VPN, then don't you want to route your DNS traffic through the tunnel to use internal DNS servers? And once you're doing that, how could the ISP possibly hijack that DNS traffic? It's encrypted.

    2. Re:Provide your own DNS? by Bandman · · Score: 5, Insightful

      You're right. It all boils down to misconfigured VPN

      --
      Check out my sysadmin blog!
  3. Change VPN settings . . . by val123456 · · Score: 5, Insightful

    to force use of internal DNS servers while connected.

    Done.

    1. Re:Change VPN settings . . . by KevMar · · Score: 2, Insightful

      I guess I did not know there was an option not to use the internal servers.

      Our unit has its own domain and dns servers. The zone does get replicated to the central dns servers, but we have to use the Fully Qualified Domain Name of our servers when on computers outside our unit.

      Have the users try the full name of the server and see if that helps.

      --
      Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
    2. Re:Change VPN settings . . . by Vrtigo1 · · Score: 2, Insightful

      We do configure internal DNS servers on the VPN profile (obviously), but we also split-tunnel since we don't want to push all traffic over the VPN (only traffic destined for the internal LAN). If you do an ipconfig/all, it lists both the ISP and internal DNS servers. Normally this works fine because the ISP's DNS server will return an invalid hostname response and the client will query the internal DNS server.

  4. Use Full Tunnels by Bandman · · Score: 5, Informative

    If you're splitting your connection between a VPN tunnel and a non-VPN protected internet connection, you're a security risk to your infrastructure.

    Have your administrator configure full tunnel support where ALL of your traffic goes through the encrypted tunnel. That solves a security problem AND it fixes your DNS problem because you don't use your local internet provider's DNS servers.

    --
    Check out my sysadmin blog!
    1. Re:Use Full Tunnels by L0stm4n · · Score: 5, Informative

      This is called split tunneling. If he disables split tunneling and specifies the DNS servers in the VPN config his problems would go away.

      His users however would tunnel all their traffic through the corporate lan while connected so you may need to setup some kind of filtering or route the traffic through whatever filters you already have. Otherwise these remote workers in hotel rooms will be pulling buckets-o-pr0n through your corp network.

      --
      superman runs linux
    2. Re:Use Full Tunnels by Bandman · · Score: 2, Informative

      But that's only a problem when they're connected to the VPN. Don't surf porn while on the VPN, don't get fired. Win/Win

      Just disconnect to download your porn and you're good.

      --
      Check out my sysadmin blog!
    3. Re:Use Full Tunnels by oolon · · Score: 2, Insightful

      The down side of this is people cannot use their local printers/file servers. I find it really annoying having to reverse tunnel out of corporate VPNs to get access to my local systems. Clearly as others have said any VPN client should change the DNS settings to use the internal DNS before any external one, I didn't know some didn't.

  5. Split-horizon DNS by Dishwasha · · Score: 3, Informative

    http://en.wikipedia.org/wiki/Split-horizon_DNS

  6. Stop filtering your DNS, or run a local cache. by mellon · · Score: 3, Insightful

    What's the benefit of blocking your internal DNS? You're firewalled off, or they wouldn't need the VPN. What's going on here is that you're doing something broken - you must have some kind of NXDOMAIN redirector running on the remote machine, and the ISP is doing something wrong, because its NXDOMAIN redirector is fooling your NXDOMAIN redirector. If you just follow the standards, the fact that they have a broken NXDOMAIN redirector wouldn't affect you.

    Another option is to set up a DNS resolver that's reachable from outside your network, and also inside your network, but only answers for your internal names if the query comes from inside. Then configure all your VPN machines to always use that nameserver, and not use your ISP's nameserver.

    Even if your ISP filters DNS and answers in place of your nameserver, you're okay, because as soon as the VPN is set up, all the queries will go across the VPN (since this server is on your local network). At that point you'll start getting answers for local domains because now the query is coming from a local (VPN) IP address.

    This second solution is a bit more work, and of course being a DNS geek I'm biased toward just doing the right thing in the first place, so I recommend just opening up your DNS, but either way ought to work.

  7. What small ISPs? by bzzfzz · · Score: 5, Funny

    There are still small ISPs left where you live?

  8. Mod parents up by adolf · · Score: 4, Funny

    Mod parents up, please.

    And then we can all go home. This is an easy problem to solve once you see it from the right angle, and that angle is described above.

    --
    Kid-proof tablet..
  9. Re:4.2.2.1 by afidel · · Score: 2, Insightful

    Level 3's resolvers were VERY slow earlier this week, to the point where our IDS system noticed it. I've generally been glad to use them when an ISP screws up their DNS but it IS a free service and you can't expect great performance from it for that reason.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  10. could someone explain what the issue is here? by goombah99 · · Score: 5, Informative

    This guy sounds like a manager or IT worker who is having problems with his employees connecting to the work VPN.

    it sounds more like he has not stated the problem correctly.

    how is it possible that a VPN connection is doing DNS to an external name server? Should not every internet request flow over the vpn from the client to the server. once it reaches the internal vpn server the server should know how to route the internal addresses and for external addresses it could use an external domain name server. the problem described seems like it should not exist. what am I missing?

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:could someone explain what the issue is here? by omnichad · · Score: 4, Insightful

      Unless it's set to send ALL traffic over the VPN, you have to resolve the hostname in order to decide if the DNS name is on the VPN or on the Internet.

      Even if all traffic goes down the VPN wire, it's probably making those requests to the same DNS servers OVER the VPN. Bust since it's still the same DNS servers, it still gets the same results.

      The IT guy would have to intercept all DNS requests over the VPN and proxy them to his own DNS server. That's not a bad answer. Too bad I'm buried in the middle of this thread.

    2. Re:could someone explain what the issue is here? by omnichad · · Score: 2, Insightful

      Putting your internal server records in public DNS is a security risk, since it exposes details of the internal network layout. I guess the best answer is to use any reliable DNS server out on the Internet that *doesn't* mangle its results. 4.2.2.1 or another major ISP's DNS servers.

    3. Re:could someone explain what the issue is here? by pthisis · · Score: 4, Insightful

      Some VPNs only route traffic meant for certain destinations through the VPN as one network interface and allow traffic to the public Internet use the actual established connection.

      They should be checking the internal DNS servers first (which should not promulgate requests up to public servers), and then the public servers.

      Doing in the other order sends internal information (server names) over the public network.

      --
      rage, rage against the dying of the light
    4. Re:could someone explain what the issue is here? by omnichad · · Score: 3, Informative

      OpenDNS has NXDOMAIN redirects too. You'd have to work only from static IP addresses that are configured with an OpenDNS Account.

    5. Re:could someone explain what the issue is here? by Intron · · Score: 5, Informative

      Depends on the VPN setup. I don't want my VPN clients sending all of their web browsing through the VPN and then back out through my firewall. I only want the traffic destined for my internal network. On their end, they should have a route table that sends traffic for me through the VPN and everything else through their normal ISP. I can support a lot more users that way.

      --
      Intron: the portion of DNA which expresses nothing useful.
    6. Re:could someone explain what the issue is here? by Andy+Dodd · · Score: 4, Insightful

      That's a hell of a security risk, having a client connected to both your internal network and external networks simultaneously.

      Every corporate VPN I have ever used has, as part of its function, disabled all network interfaces other than the one it was using once a connection was established. In addition it would prevent any traffic from going through the "normal" connection. The idea was that a machine should never have connectivity to both the internal network and the outside world simultaneously.

      The article poster doesn't need to fix their users' ISPs, they need to fix a horrifically broken and insecure VPN system.

      --
      retrorocket.o not found, launch anyway?
    7. Re:could someone explain what the issue is here? by Sparr0 · · Score: 4, Informative

      I have never seen that enforced, and only twice ever as the default setting. It is a client-side configuration option in most VPN software (Cisco, SecuRemote, most Linux VPN clients).

      You want VPN users to stream video or download game patches or do other non-business-related bandwidth intensive operations over the VPN, when they have a perfectly (ha!) good internet connection locally? I hope you have a REALLY big network pipe.

    8. Re:could someone explain what the issue is here? by mellon · · Score: 5, Insightful

      I'm not sure what your threat model is, but I suspect you are claiming one of two things: either that the VPN node might act as a router, forwarding packets around your firewall, or that the VPN node might be compromised and used as a stepping-stone onto your network.

      In the case of the router vulnerability, this is something that you can control on the corporate side of things by simply not accepting packets down the VPN tunnel that don't come from the IP address that's the far endpoint of that tunnel. I'm not a VPN expert, but I would be surprised if this isn't how your VPN is configured by default.

      In the case of the stepping stone, this is a fairly weak threat model, for two reasons. First, if your machine has been rooted, there's a good chance that it will phone home out through your firewall even if you route all internet access through the VPN. So it will be a stepping stone to your network anyway.

      Second, if your machine has been rooted, and is running any sort of virus platform, it's going to try to infect machines on your network even if it doesn't have a link to the outside world. If you are genuinely concerned about threats originating on employee laptops, you shouldn't allow them to VPN into your network at all.

      So the point is that forcing the VPN'd node to access the internet through your site is probably going to be a big inconvenience for your users (the kind of inconvenience they will hack around, possibly making you even more vulnerable) and it's not going to buy you any meaningful security.

      Firewalls are great for slowing the spread of infection, and raising the cost of attacking you, but you really do need to secure every node as well, and if someone really wants to get past your firewall, and is willing to expend substantial effort to do so, you probably won't stop them without much sterner measures than the one you're advocating.

    9. Re:could someone explain what the issue is here? by networkBoy · · Score: 3, Insightful

      Enforced at my work. In addition we don't allow user's personal machines onto the VPN. Since it's a company notebook on the VPN and all traffic goes through the VPN, we also enforce the internal AUP on remote users using the VPN. That means downloading a game patch will get you a stern talking to, downloading porn or torrents of wares, etc. will get you fired.
      Again, this is all acceptable, because you are on company equipment (even if you are at home). If the case is that employees are being allowed to attach their personal equipment through the VPN to the company's internal network then I really hope you totally trust your employees, because one rogue could catastrophically hose you.
      -nB

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    10. Re:could someone explain what the issue is here? by Sparr0 · · Score: 4, Insightful

      And this is an excellent plan for convincing your users to only connect to the VPN occasionally. Good if you want to maximize security. Bad if you want to maximize productivity.

    11. Re:could someone explain what the issue is here? by sjames · · Score: 2, Interesting

      Machines that connect through a VPN client are only behind your firewall some of the time. They cannot be trusted to be virus free. The firewall needs to keep them, the LAN clients and the servers separate anyway.

      Another point is that if the machine has been infected, that means that the software on it has been altered. The VPN client software is not immune to this. You may THINK split tunneling is disabled, but are you sure?

      There may be other issues as well. If you WANT people to come in through their personal machines after hours, they may well object to having their routing hijacked and their personal internet traffic (during their personal time at home) snooped and limited by a corporate firewall.

      In a related issue, let's just say there are some perfectly legal things employees do on their own time at home that their employer is really better off not knowing about and might prefer not to be connected with.

  11. This is an unethical practice by Jane+Q.+Public · · Score: 2, Insightful

    ... and it should be stopped. Forced to stop if no other approach works.

    Redirecting my web request to somewhere else, as far as I am concerned, is equivalent to re-routing my snail mail to their own office if someone has moved. That is not acceptable. I want a "not at this address" notice, nothing else.

  12. hosts file? by i.r.id10t · · Score: 2, Informative

    A logon script here loads a hosts file that null-routes a lot of known bad (spyware, etc) sites.

    Could you do the same for your internal hosts so that when on the VPN it doesn't even need to do a DNS lookup?

    --
    Don't blame me, I voted for Kodos
  13. Will "bad" ISPs start blocking port 53? by e9th · · Score: 2, Interesting

    Some ISPs already won't let you connect to port 25 on any server that isn't theirs (forcing you to relay outgoing mail through them), ostensibly to prevent zombies from sending spam. The ones that monetize NXDOMAIN could easily do the same for DNS. All they'd need is some flimsy pretext, and maybe not even that.

  14. Re:Uhhh by tthomas48 · · Score: 2, Insightful

    I wonder if the actual problem is this:

    1. User goes to internal site, gets ISP not found page.
    2. User goes "Whoops, need to turn on VPN". Turns on VPN
    3. User hits refresh. Still goes to ISP not found page.

    Is he sure this isn't an issue of just needing the user to close their browsers to clear the browser dns cache?

  15. Your VPN is busted by brunes69 · · Score: 2, Insightful

    The first thing your secure VPN tunnel should be doing is altering the client's DNS profile to only use the DNS servers on the other side of the tunnel. Anything else is totally insecure.

  16. Re:4.2.2.1 by TooMuchToDo · · Score: 2, Interesting

    Level3 is in the process of ACLing off 4.2.2.1 from the world so only downstream transit customers can use it. Google the Outages mailing list.

  17. Re:Open DNS?? by egcagrac0 · · Score: 2, Funny

    What I'd love is my own DNS Server but I can't find one free for XP anywhere...

    I think it's called linux. (Also, see VirtualBox or VMware server).

  18. MOD PARENT UP: Re:could someone explain what th... by HappyDrgn · · Score: 4, Informative

    This is in fact why NXDomain breaks things in the way the poster describes, however, unless you're the kind of employer who wants to see EVERYTHING your subordinates are doing it's not actually the best practice to filter everything through the VPN.

    Filtering everything through their VPN increases overall costs in bandwidth and hardware as Intron indicated. These are very real, very costly expenses that many employers overlook when implementing broad policies... and it's a fantastic point you raised that all too many companies forget.

    Why should my connection to slashdot.org, for example, be secure on the company VPN? My ssh and nfs connections have very real reasons to be secure however!! On the other hand you could fix this by filtering DNS traffic through the VPN, but not web traffic. The cost of DNS traffic is marginal comparatively to other services, but the benefit for companies facing these specific issues is obvious.

  19. Re:The solution is not to use DNS! by Cyrock · · Score: 2, Insightful

    Your external VPN interface should have its own IP address. That is a security best practice. If you are load balancing VPN connections, you should be using a VIP. Changes to VPN server IP addresses won't matter to the client. Using names for IP resolution works great for VPN connections until your DNS get hijacked!

  20. Re:MOD PARENT UP: Re:could someone explain what th by blingingToad · · Score: 2, Informative

    I do not think your ssh connection needs to tunneled through a VPN at all. Ssh is a secure way to transmit and recieve information without a VPN. I suppose you could use a VPN with ssh, but it seems redundant. NFS is another matter, though.

  21. Re:MOD PARENT UP: Re:could someone explain what th by Big+Boss · · Score: 2, Informative

    SSH tunnels get around that without difficulty. If you know the address, it's as simple as assigning local port 2222 to 10.1.0.100:22 and you can now SSH to that machine by connecting to localhost:2222. Get a SOCKS capable SSH client, and you don't need to set up the tunnel for each connection.

  22. Large ISPs (cough, verizon, cough) lie about it? by Medievalist · · Score: 2, Informative

    Large ISPs typically provide an opt-out on their sponsored links page that immediately opts you out of the DNS redirection, but I've noticed that some smaller ISPs and CLECs have opt-out links that don't actually appear to do anything. I don't have a good solution for employees using these ISPs, and our employees are getting frustrated because the problem is becoming more prevalent and we can't fix it for them. I've tried calling a few of these smaller ISPs for help, but it's been like talking to a wall.

    That's not limited to small ISPs. Verizon FiOS, for example:

    "Oh, sure, we will let you opt out - just click on the link that shows your router"
    BROKEN LINK
    Hmmm, guess I will click on a similar router...
    THEY ARE ALL BAD LINKS
    Gee, I guess I will click on the "change OS settings" link then...
    BAD LINK

    Somebody's going to point out that you can Google and find where helpful geeks have posted the instructions to opt-out without Verizon's assistance. But that's not the point, really, is it? Verizon had working opt-out links exactly long enough to get a favorable review in Consumer Reports, and then it all mysteriously broke. I cannot explain this coincidence, personally, you will have to come to your own conclusions.

  23. VPN does not preclude packet filtering by raddan · · Score: 2, Interesting

    In the case of the router vulnerability, this is something that you can control on the corporate side of things by simply not accepting packets down the VPN tunnel that don't come from the IP address that's the far endpoint of that tunnel. I'm not a VPN expert, but I would be surprised if this isn't how your VPN is configured by default.

    You can also filter packets on the receiving end of the VPN. That's how I configured our firewall at work. The VPN tunnel simply looks like another network interface to our firewall, so I apply a slightly less restrictive set of rules to that connection than I do to the default external interface. Giving someone keys to your network just because they are an authenticated VPN user is not a very good idea.

    My main complaint with DNS tampering is the outright DNS hijacking that Sprint does with their AirCard (EVDO) service. You can't even query a different DNS server-- your packets are intercepted and redirected to Sprint's own DNS. Unfortunately, their records are often out-of-date as it appears that they also manipulate TTLs to keep the churn down on their servers. It's a real problem when you're relying on something like an AirCard for doing things like network penetration testing.

  24. Fix dnsmasq + level3 by asdfndsagse · · Score: 2, Informative

    dnsmasq, avalable in most distrobutions, is a light weight dns server that you can tell the ips of bogus NXDomain sends and will turn them back to what they should be. You can also point your computers to level3's free dns service at 4.2.2.3 4.2.2.4 4.2.2.5 4.2.2.6

  25. Try using OpenDNS by brewmage · · Score: 2, Interesting

    I don't know that I would leave that hole open in my VPN configuration, but have you tried using OpenDNS (http://www.opendns.com/)? I don't know if it'll work in your situation or not, but I hardcode it vs. picking up the automatically assigned ISP's DNS and it works great. It doesn't have the problems with the redirection for advertisement when an incorrect URL is entered. In fact, that's one of my primary reasons for using it. Give it a try. Their site will give you the two IP addresses you need to use them, and best of all... it's free.

  26. I suspect this is a "captive portal" portal issue by gnu-user · · Score: 2, Interesting

    I worked for an ISP that provided service to hotels. VPN configs were the major source of problems. We implemented a captive portal to try to smooth over issues like

    SMTP rejection (SMTP-AUTH was not common, the portal provided silent redirect to local mail server)

    Accountability/Abuse -- The rooms were hard-wired, and captive portal gave us some retroactive sense of what room was generating abusive traffic.

    Splash-screen/terms-of-service

    DNS redirection is one of the core techniques for establishing captive portals. I rather doubt that many smaller ISPs are doing the "sponsored link" DNS redirect. Maybe things have changed since I left, but I suspect there is no significant benefit and some real cost involved for sponsored redirects for all but the largest ISPs.

    Most of the support calls were over VPN software. Since all traffic was redirected until the splash screen was agreed to, a small but significant segment of VPN client configs broke. I very much suspect that is the real source of the initial posters issues.