Slashdot Mirror
Comcast DNS Redirection Launched In Trial Markets
An anonymous reader writes "Comcast has finally launched its DNS Redirector service in trial markets (Arizona, Colorado, New Mexico, Oregon, Texas, Utah, and Washington state), and has submitted a working draft of the technology to the IETF for review. Comcast customers can opt-out from the service by providing their account username and cable modem MAC address. Customers in trial areas using 'old' Comcast DNS servers, or non-Comcast DNS servers, should not be affected by this. This deployment comes after many previous ISPs, like DSLExtreme, were forced to pull the plug on such efforts as a result of customer disapproval/retaliation. Some may remember when VeriSign tried this back in 2003, where it also failed."
Some may remember when VeriSign tried this back in 2003, where it also failed.
Oh yeah, way back in the day. But let us not forget Earthlink's attempt at this or Canadian Rogers Cable or Charter or NJ Cabelvision or ... I'm sure you could find no end to this stream of providers offering their customers something the customers simply do not want.
And I'm pretty certain most of those ended or resulted in customers bitching out the provider. Yet here we go again. Why? Well, that's simple: ad revenue.
My work here is dung.
I don't want to name names, but Netalyzr showed that several major ISPs already do this, and allows you to check for yourself what the behavior is on your network.
Comcast is following the lead of other major ISPs which have been doing this for some time now.
Test your net with Netalyzr
Except for the bit where Comcast users not using Comcast DNS servers are unaffected, as per TFS.
Unless you're complaining that they could, in theory, redirect port 53. Frankly, anyone remotely familiar with how the Internet works should know that your ISP *could* completely and arbitrarily control any nonauthenticated protocol, including DNS.
OpenDNS does exactly the same. (unless you register account and change it, but thats the case with this comcast thingie aswell)
4.2.2.1
AT&T ... they aren't keeping a database of my URL lookups7.
Until the NSA asks them to. Let's not pretend that AT&T isn't evil.
* * * --they cant all be your best, that would be confusing
I noticed the summary mentioned several attempts that have failed, but makes no mention of other ISPs that are still doing it. Time Warner Cable is one that has been doing this for a while now (maybe a year?). Anyone know of others?
OpenDNS does the exact same thing. To avoid DNS highjacking if you use OpenDNS, you have to have an account with them, change your preferences and always be identifiable to OpenDNS so that it can apply your preferences. It's easier to opt out at Comcast than to opt out at OpenDNS. Besides, OpenDNS also redirects www.google.com to OpenDNS servers, not just nonexistent domains.
It doesn't redirect you to a third-party site owned by the NSA; it redirects you to a third-party site, full stop. This not only breaks a whole host of applications relying on DNS to inform them that a domain name doesn't exist, but it is in violation of the standards that hold the Internet together.
Score: i, Imaginary
I use Level3's anycast dns resolvers. They are fast and work great. Pair them with a local dns cache and you'll be golden.
4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6
In case you don't know about anycast.
http://en.wikipedia.org/wiki/Anycast
"It is better to die on one's feet than to live on one's knees." - Albert Camus
Why do these OpenDNS posts keep getting modded up? OpenDNS utilizes the very practices this article bemoans! If you query a domain that does not exist, your browser is redirected to OpenDNS's ad-laden spam site.
Despite their claims to the contrary, OpenDNS's servers are likely farther away from you than your local ISP's. They also keep permanent logs of all queries, which could be subpoenaed by a government entity. Their joke of a privacy policy allows them to sell your logs to "Affiliated Businesses", which pretty much means anybody. Not that it really matters - they could amend their privacy policy tomorrow morning and be selling your info by the afternoon.
I think many people read the "Open" part of the OpenDNS name and turn their brains off.
Just go to the site below and opt-out :)
https://dns-opt-out.comcast.net/
Yes it is. What you described is the very definition of typosquatting, if you add the point of what you see on this "GUI interface" (which is the job of your browser to create, btw.)
And if you think about them paying for servers to display this "interface", you will know that there is a reason they do this:
To make money. Obviously.
And what is the reason, that typosquatters add a "GUI interface" to unused domains?
Also to make money. Obviously.
Point proven. :)
Any sufficiently advanced intelligence is indistinguishable from stupidity.
In what way is this relevant to OpenDNS? They actually do the same dirty trick aswell. Just because they have "open" in their name doesn't mean they're great and everyone should use them. They run their DNS servers to make profit from non-existing domains and hell, they even redirect requests to google.com to their own servers.
Thankfully there are open dns servers that dont do such either, for example university in Gothenburg, Sweden: 129.16.1.53 and 129.16.2.53 and several others. Those that have the technical knowledge can also set up their own dns recursive dns servers on their linux box and use those directly (while it fetches the results from root servers)
AT&T Caps my bandwidth. They charged me an extra 20 dollars a few months ago for going over the limit. I buy their "ultra mega super elite" DSL service and upload an average of 40kb a second every second of every month. They sent me an e-mail notifying me about this wonderful little change to my AT&T e-mail address which no one fucking uses. I first saw the change on the bill. Thanks AT&T.
I agree completely on not going with Comcast. I go with Qwest for my DSL.
But you do know about the special rooms on the AT&T trunk lines that monitor all the traffic for the NSA, right?
Not that me using Qwest stops my traffic from being monitored too, but at least I am not directly supporting AT&T (or Verizon) and their habit of handing over whatever information is asked without requiring a search warrant to back it up.
Qwest refused to hand over data without a search warrant.
That depends. If you have server authentication, it won't. More importantly, if the Comcast server doesn't listen on any port but 80, it certainly won't.
If you were relying on correct DNS responses to provide security (such as preventing your login credentials from being given away), you were doing it wrong in the first place.
OpenDNS is just as bad -- they do the same thing. The real solution is to change your DNS servers to use the L3 DNS servers at 4.2.2.1, 4.2.2.3, 4.2.2.4, 4.2.2.5, or 4.2.2.6, which are often faster than Comcast's anyway.
Easy, through innovation and distinct added value. Shouldn't take a rocket scientist to figure it out but apparently it does. Recently, our ISP decided to offer a brand new service allowing you to double your bandwidth simply by adding another DSL line. Guess what, they are now the fastest growing ISP in Canada.
Schemes like DNS redirection are a scam and should be banned unless they contain no advertising or indirect revenue generation whatsoever.
Views expressed do not necessarily reflect those of the author.
When opendns started it was precisely that - an open DNS system which even had its own set of free TLDs to play with.
Then they smelled money. And the rest is history.
Use the anycast DNS at 4.2.2.1, 4.2.2.2, etc. Run by Level3 who have plenty of money anyway and don't need to nickel and dime DNS for it.
It's not like Comcast is going to be intercepting all DNS traffic and routing it through their spammy DNS servers.
Why not? As raddan posted above me, Sprint already did this with their aircard service. The huge majority of customers won't notice the difference since they don't know about alternative DNS servers.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
The web page looks the same. You have to look at the DNS results (or the TCP connections) to see what's going on. If you're using Windows, open a command prompt and compare the outputs of
nslookup www.google.com 4.2.2.1
and
nslookup www.google.com resolver1.opendns.com
The first parameter is the query, the second is the server. 4.2.2.2 is the anycast address of one of Level3's DNS resolvers, which implement DNS correctly. The result of the second command is a CNAME under the opendns.com domain and an IP address which belongs to OpenDNS LLC (you can verify this by asking whois.arin.net for information about the address with a whois client).
Try looking at the entire service. So far as I have been able to tell, you can turn off every single one of their "features", giving you a simple, straightforward dns service.
And for those replying to you confused about the google thing - they don't
. What they do is provide a dns entry for www.google.com that points to their own servers. These servers proxy the real www.google.com to strip out some functionality that opendns found particularly offensive (I have not experienced the functionality, and can't say whether I agree or disagree with their views). However, like every other "feature" I've found at OpenDNS, you can turn this off. Yes, at first you couldn't. I stopped using OpenDNS for awhile. Now you can.
the difference is that this is opt-out, not opt-in like opendns or other free dns servers
The real nasty issue with these services are that they are claimed to be helpful to users. The issue is that it is not helpful. Modern browsers already provide options to redirect NXDOMAIN's to a search engine, or other useful things.
For example, Google chrome provides a nice page that says "DNS error - cannot find server" in the corner, and provides a helpful search box that is pre-filled with the words found in the domain name. (I have no idea what algorithm is being used to find the word breaks, but it seems to work reasonably well.)
If you have Google Toolbar installed in IE, it does the same thing (except for having Google Toolbar branding rather than Chrome Branding).
Other common search toolbars provide similar services.
I will admit that IE's default error page, and Firefox's default error page are not as helpful to most users, but rather than hijack DNS, why don't you (ISPs) just add the "feature" to the IE toolbar you provide on your Set-Up CD. Those who have no use for such a service don't use those CDs anyway.
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
If you don't believe it, try the commands for yourself:
-=-=-=-=-
overmind% nslookup
Default Server: localhost
Address: 127.0.0.1
> set querytype=a
> www.google.com
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
Name: www.l.google.com
Addresses: 74.125.53.147, 74.125.53.104, 74.125.53.99, 74.125.53.103
Aliases: www.google.com
> server 208.67.220.220
Default Server: resolver2.opendns.com
Address: 208.67.220.220
> www.google.com
Server: resolver2.opendns.com
Address: 208.67.220.220
Non-authoritative answer:
Name: google.navigation.opendns.com
Addresses: 208.69.36.230, 208.69.36.231
Aliases: www.google.com
-=-=-=-
Talking to my local DNS server, www.google.com resolved to IP addresses in the 74.125.0.0/16 netblock, which is assigned to Google.
Talking to resolver2.opendns.com, www.google.com resolved to 208.69.36.230 and 208.69.36.231, which have no reverse information, but are in the 208.69.32.0/21 netblock which is assigned to OpenDNS.
It's a problem because DNS is used by more things than web browsers with human operators. A "this host does not exist" response at DNS-level contains information that a "404 not found" response at HTTP-level does not provide. And that's even assuming they have the common sense to make their "default search page" return an error status code; it's highly likely it'll return an OK status, since as a general rule the people who understand how the internet works at a technical level will refuse to be involved in these kind of projects, which means people who don't really understand what they're breaking are in charge of it all.
When Verisign did this a few years ago, they set up an SMTP rejection service so that mistyped domain names in email addresses would result in an immediate bounce, rather than sitting in the mail queue attempting to be delivered to an address that didn't accept mail for a few days before finally being bounced. This service didn't actually work properly, with the result that if you had more than one incorrect domain in the recipient list, you would get a bounce for only some of the wrong domains. This is because the people that implemented the service didn't think it was necessary to actually parse the SMTP commands, and instead just responded with a scripted "Hello, Ok, Reject" over and over again regardless of what the input was. Needless to say, this was very confusing for actual mail servers.
In addition, people using web browsers that are configured to do something useful in the case of a non-existent domain name get screwed, because now every domain resolves and serves up web pages. If Comcast's "not found" service is not as good as whatever their browser was previously doing, too bad.
At least Comcast provide an opt out, and most of their customers are presumably using Comcast's SMTP relay servers, which one would hope use real DNS servers, so the problems should not be as widespread as when Verisign did it to the entire .com namespace. However whenever you change how a fundamental part of anything works (and has worked for decades) there will always be fallout and unanticipated issues. This is also complicated by the fact you can't differentiate DNS lookups by web browsers from DNS lookups from anything else; with a result being that even when you do anticipate issues, you can't provide a 100% adequate solution to mitigate it.
Um, this concerns me quite a bit:
These servers proxy the real www.google.com to strip out some functionality that opendns found particularly offensive...
What? That doesn't make any sense. They only appear to proxy the first page, enough to capture what you type in the search box.
Lets examine the evidence:
$ dig @resolver1.opendns.com www.google.com A
www.google.com. 30 IN CNAME google.navigation.opendns.com.
google.navigation.opendns.com. 30 IN A 208.67.216.231
google.navigation.opendns.com. 30 IN A 208.67.216.230
$ whois 208.67.216.231
OrgName: OpenDNS, LLC
Now visit both:
http://208.67.216.231/
http://www.google.com/
Notice anything different in the footer? Say the link that says Go to Google.com
There may be a good faith relationship between OpenDNS and Google, but it still means that OpenDNS is proxying your queries! Thus tracking your search queries.
It appears OpenDNS never responded to the many questions on their own forum
DNS redirection is bad, and proxying to collect information is evil. Both methods are employed by scammers and phishers.
Here it is:
http://tech.slashdot.org/article.pl?sid=09/06/09/1731238