Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dealing With ISPs That Use NXDomain Redirection?

Posted by timothy on from the looking-at-you-charter dept.

Vrtigo1 writes "I work for a small company that has about 50 staff on the road relying on VPN back to our office at any given time. Many ISPs have implemented NXDomain redirection services that hijack DNS traffic to show you sponsored links and other related ads when you mistype a domain name. These services are incompatible with most VPN software, since they prevent the computer from resolving internal hostnames. Large ISPs typically provide an opt-out on their sponsored links page that immediately opts you out of the DNS redirection, but I've noticed that some smaller ISPs and CLECs have opt-out links that don't actually appear to do anything. I don't have a good solution for employees using these ISPs, and our employees are getting frustrated because the problem is becoming more prevalent and we can't fix it for them. I've tried calling a few of these smaller ISPs for help, but it's been like talking to a wall. Manually changing DNS servers works temporarily, but the user can't resolve internal hostnames when they connect to the office LAN again. Have you had to deal with ISPs using non-standard DNS servers? What is your solution?"

11 of 264 comments (clear)

  1. Provide your own DNS? by QuantumRiff · · Score: 5, Informative

    Last time I setup a VPN, was with a Cisco PIX firewall, (its been awhile) but there was a spot to specify which DNS servers to use when connected to the VPN. I had specified that when connected, they would use our DNS, since they otherwise couldn't resolve \\file-server\share or whatever..

    --

    What are we going to do tonight Brain?
    1. Re:Provide your own DNS? by nine-times · · Score: 5, Informative

      Yeah, honestly I'm a little confused by the question. If you want to use DNS to connect to internal servers via VPN, then don't you want to route your DNS traffic through the tunnel to use internal DNS servers? And once you're doing that, how could the ISP possibly hijack that DNS traffic? It's encrypted.

    2. Re:Provide your own DNS? by Bandman · · Score: 5, Insightful

      You're right. It all boils down to misconfigured VPN

      --
      Check out my sysadmin blog!
  2. Change VPN settings . . . by val123456 · · Score: 5, Insightful

    to force use of internal DNS servers while connected.

    Done.

  3. Use Full Tunnels by Bandman · · Score: 5, Informative

    If you're splitting your connection between a VPN tunnel and a non-VPN protected internet connection, you're a security risk to your infrastructure.

    Have your administrator configure full tunnel support where ALL of your traffic goes through the encrypted tunnel. That solves a security problem AND it fixes your DNS problem because you don't use your local internet provider's DNS servers.

    --
    Check out my sysadmin blog!
    1. Re:Use Full Tunnels by L0stm4n · · Score: 5, Informative

      This is called split tunneling. If he disables split tunneling and specifies the DNS servers in the VPN config his problems would go away.

      His users however would tunnel all their traffic through the corporate lan while connected so you may need to setup some kind of filtering or route the traffic through whatever filters you already have. Otherwise these remote workers in hotel rooms will be pulling buckets-o-pr0n through your corp network.

      --
      superman runs linux
  4. What small ISPs? by bzzfzz · · Score: 5, Funny

    There are still small ISPs left where you live?

  5. Re:This is an easy one. by TheLink · · Score: 5, Insightful

    Actually, the VPN config is insecure (screwed up?) - when you are using the VPN the DNS requests should be going through the VPN tunnel, and not in plaintext to the ISP.

    --
  6. could someone explain what the issue is here? by goombah99 · · Score: 5, Informative

    This guy sounds like a manager or IT worker who is having problems with his employees connecting to the work VPN.

    it sounds more like he has not stated the problem correctly.

    how is it possible that a VPN connection is doing DNS to an external name server? Should not every internet request flow over the vpn from the client to the server. once it reaches the internal vpn server the server should know how to route the internal addresses and for external addresses it could use an external domain name server. the problem described seems like it should not exist. what am I missing?

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:could someone explain what the issue is here? by Intron · · Score: 5, Informative

      Depends on the VPN setup. I don't want my VPN clients sending all of their web browsing through the VPN and then back out through my firewall. I only want the traffic destined for my internal network. On their end, they should have a route table that sends traffic for me through the VPN and everything else through their normal ISP. I can support a lot more users that way.

      --
      Intron: the portion of DNA which expresses nothing useful.
    2. Re:could someone explain what the issue is here? by mellon · · Score: 5, Insightful

      I'm not sure what your threat model is, but I suspect you are claiming one of two things: either that the VPN node might act as a router, forwarding packets around your firewall, or that the VPN node might be compromised and used as a stepping-stone onto your network.

      In the case of the router vulnerability, this is something that you can control on the corporate side of things by simply not accepting packets down the VPN tunnel that don't come from the IP address that's the far endpoint of that tunnel. I'm not a VPN expert, but I would be surprised if this isn't how your VPN is configured by default.

      In the case of the stepping stone, this is a fairly weak threat model, for two reasons. First, if your machine has been rooted, there's a good chance that it will phone home out through your firewall even if you route all internet access through the VPN. So it will be a stepping stone to your network anyway.

      Second, if your machine has been rooted, and is running any sort of virus platform, it's going to try to infect machines on your network even if it doesn't have a link to the outside world. If you are genuinely concerned about threats originating on employee laptops, you shouldn't allow them to VPN into your network at all.

      So the point is that forcing the VPN'd node to access the internet through your site is probably going to be a big inconvenience for your users (the kind of inconvenience they will hack around, possibly making you even more vulnerable) and it's not going to buy you any meaningful security.

      Firewalls are great for slowing the spread of infection, and raising the cost of attacking you, but you really do need to secure every node as well, and if someone really wants to get past your firewall, and is willing to expend substantial effort to do so, you probably won't stop them without much sterner measures than the one you're advocating.