Slashdot Mirror
Comcast DNS Redirection Launched In Trial Markets
An anonymous reader writes "Comcast has finally launched its DNS Redirector service in trial markets (Arizona, Colorado, New Mexico, Oregon, Texas, Utah, and Washington state), and has submitted a working draft of the technology to the IETF for review. Comcast customers can opt-out from the service by providing their account username and cable modem MAC address. Customers in trial areas using 'old' Comcast DNS servers, or non-Comcast DNS servers, should not be affected by this. This deployment comes after many previous ISPs, like DSLExtreme, were forced to pull the plug on such efforts as a result of customer disapproval/retaliation. Some may remember when VeriSign tried this back in 2003, where it also failed."
Didn't RTFA, but lets call a spade a spade--this is typosquatting
I can't remember the last time I forgot anything.
It was *MUCH* easier for me to sign up for basic TV + internet with Comcast than what I ended up doing. I wanted to keep everything at the magic $100/mo. number, so I went with AT&T - DirecTV partnership, where they give you DSL and a dish and DVR, and put it all on one bill. My DSL is 3Mb down/768kb up, where a Speakeasy test at my neighbor showed almost 12Mb down and nearly a full meg up. When he asked "why would you choose that?" - my answer was simple: Comcast.
AT&T doesn't touch my bandwidth. They don't cap it, they don't filter it - they aren't keeping a database of my URL lookups. That's worth a great deal to me - and Comcast will never get my business. I urge everyone else to do the same, even if it is some other DSL provider or dish provider.
The sky isnt falling.
It is if you were foolish enough to believe that the RFC/protocol standards would be obeyed and wrote code that relies on a NXDOMAIN response to detect a bad hostname. Now you are going to an 'A' record that points to a Comcast server. This will break various applications but they don't give a damn because it's all about the ad revenue and who uses the internet for anything other than surfing anyway?
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Comcast is great. So I pay them for an internet connection, the price won't go down, and they get extra advertising revenue from there users. How long will it be until they start injecting ads into websites?
No, it will only show those pages that have paid to be listed as what you want to see. (at least after an initial trial run)
This could easily be done in the browser in a non-evil way. When you type in a name and get a non-response, similar names typed after would be recorded. Then, when you make the same spelling error, gooogle.com, it takes you to where you want to go. Since it's in the browser, people could edit and share their commonly misspelled domain names.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
I speak from the perspective of being a RoadRunner user rather than a Comcast user, but RR implements a similar service. They have a link in the lower right of their results page where you can click to set your preferences and disable the "feature". Except just the other week that preference broke for me, and I was stuck with DNS hijacking. I phoned their customer service line, the person on the other end of the line had absolutely no idea what I was talking about.
DNS hijacking is a bit like Phorm without profiling really. Well, assuming there is no profiling. If there was profiling they'd make more money from the ads they'll inevitably insert there to "support" the service (Edit: oh look, they already have!). Personally I put this issue, along with Phorm in a whole category of problems related to the fact that we still don't secure and authenticate most of our activities on the internet (http, dns, yadayada). ISPs can do what they like and it's hard to stop them. Third-party DNS services seem to be the way to go recently. Of course without security/authentication your ISP can put a stop to that quite easily too.
This is all before you get in to the technical details of clients that may implement specific behavior for when bad DNS queries are expected to fail but don't.
True, for anyone tech savvy they would know better. But what about people that don't know better and that extra ad revenue. Will that be passed back to the customer? Absolutely not.
This is all done under the assumption that the DNS query is for an HTTP request.
What happens when other services run afoul of this setup?
For example: Is my POP client going to hand my login credentials to a Comcast server, if my email service's DNS does not resolve for some reason?
I use Earthlink for an ISP. I also know how to change my "default" DNS servers, so I don't have to deal with their antics.
If people don't like what the ISP does to things like this, they should either learn how to fix the problem (because their ISPs will simply say there IS no problem because it's functioning as it was designed to do) or look for another ISP.
Why do I stay with Earthlink? Simple:
Generally, I'm pleased with Earthlink.
When politicians are involved, everyone loses.
My ISP did it for a while. The problem was that it was badly implemented and increased to load on the upstream DNS services.
So if the middle layer DNS cache was empty and I asked for
mybank.com the bottom level DNS timed out and it failed over to the advertising page.
---
Think of searching on coke.com or any real address then the system failing and redirecting you to pepsi.com.
Think of the lawsuits. Think of the denial of service attacks possible
a) register not_mybank.com, have spoof of mybank.com page ready to launch
b) pay to have a fail on mybank.com route to not_mybank.com
c) denial of service attack to root servers for mybank.com, flip in your spoof page
d) have the ISP's magically send people to your spoof site from their saved URL's and collect passwords
Yeah this is a good idea.
> Some may remember when VeriSign tried this back in 2003, where it also failed.
Not the same at all. VeriSign tried to do it with the TLD servers, which nobody can avoid. These guys are just doing it with their own servers, which you can bypass unless they block you. Even if they do you can, at least in theory, switch ISPs. They aren't likely to bother with blocking, though, because the number of people who will bypass is tiny.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Also, this statement from Comcast's blog is blatantly false:
Normally you would *never* "sit and wait for the Web browser to time out" (well, these *are* Comcast's DNS servers after all, so in this specific case it might be true). Normally, your browser would get a DNS resolution failure and show you a built-in error page instantaneously. Now, on the other hand, you have to wait until your browser goes off and loads a page of Comcast ads.
Domain Helper my a$$!
This screws with "what is valid URL". Basically, now all URL are valid. So for example you want "coke.com" anyway you mistype that request: cole.com, Coce.com, koke.com, cooke.com and ... will be a valid URL, even if it does not exist.
Another way of looking at this is cybersquatting. They are taking the whole URL domain. So if you have a new URL, guess where it will not show up for a long while.
And third you can think of it as "DNS poisoning", since if you are running your own DNS, comcast will be suppling you fake information, with its own time out.
Sprint currently does this with their AirCard service. In fact, even if you try to query a specific DNS server, it hijacks your request and redirects your packets to its own. I discovered this after wondering WTF my DNS server was not operating correctly-- it turns it that my new DNS record had not propagated to Sprint's DNS. Since I run our company's DNS, this is a major PITA to me. Oh yeah, they appear to mess with DNS record TTLs as well.
I'd gladly post examples but I'm at work and my AirCard is at home at the moment.
I would gladly switch to another ISP, but I'm locked-in to a 2-year contract. Unless I can argue that their DNS hijacking violates the TOS, but I doubt it.
Just wanted to remind everybody that a few weeks ago, another slashdot article about comcast DNS hijacking appeared, and everybody wound up calling this specific blogger a liar.
What if before introducing mass trials, they randomly selected MAC IDs and did this in specific locations? Perhaps that blogger actually did break news.
But then, it wouldn't be the first time we trolled a legitimate story because its legitimacy was hard to validate at the time. :)
Also, this discredits Comcast's massive twitter efforts as ComcastBonnie so kindly made a slashdot account after seeing the twitter output from the article, and told us that the engineers promised no form of DNS hijacking was underway. Underway or not, it was certainly being planned, and coverups should not be appreciated.
Just my two cents
Google "DNS recursive amplification" to see what I mean about the evils of open resolvers. Hell, even closing down recursion doesn't stop the madness since root hint amplification is being abused too.
We drop all IP traffic directed to our anycast IPs at our borders. You can't even ping them. query-source is not a listen-on address so it is impossible to get any type of response from our named. I predict most other ISPs being forced to do something similar. The poisoning threats are also ever on the horizon and this is another prudent safeguard.
This new 'service' Comcast is testing helps comcast identify its customers better which helps with the 250GB cap. The new DNS setup locks out hacked modems (unregistered modems) without spoofing as a legit modem. It also limits the speed cap from the cmts (node) end as well as the cable modem so no more uncapped 30megabit/s down and 10megabit/s up on a single modem without cloning a developer na modem.
The real conversation should not be about openDNS but how comcast is going out of its way to make sure it can identify which users are breaking the 250GB cap which ultimately forces many of the not so legit comcast users who like their anonymity to spoof as someone else on the same network and therefor ultimately putting blame on the wrong person when comcast issues an abuse suspend. It is ironic really.
It may sound like a completely separate subject but by comcast playing with its dns forwarding has much bigger back end changes that seem not related but in fact are.