Slashdot Mirror
Comcast DNS Redirection Launched In Trial Markets
An anonymous reader writes "Comcast has finally launched its DNS Redirector service in trial markets (Arizona, Colorado, New Mexico, Oregon, Texas, Utah, and Washington state), and has submitted a working draft of the technology to the IETF for review. Comcast customers can opt-out from the service by providing their account username and cable modem MAC address. Customers in trial areas using 'old' Comcast DNS servers, or non-Comcast DNS servers, should not be affected by this. This deployment comes after many previous ISPs, like DSLExtreme, were forced to pull the plug on such efforts as a result of customer disapproval/retaliation. Some may remember when VeriSign tried this back in 2003, where it also failed."
Another great press release about how it will be helpful and a "service" for users, while the main purpose is just to gather extra advertisement revenue (while breaking internet standards). I mean, this is what malware do. Oh well, atleast these non-us ISP's dont do such dirty acts to their customers here. Time to voice your opinion maybe?
Some may remember when VeriSign tried this back in 2003, where it also failed.
Oh yeah, way back in the day. But let us not forget Earthlink's attempt at this or Canadian Rogers Cable or Charter or NJ Cabelvision or ... I'm sure you could find no end to this stream of providers offering their customers something the customers simply do not want.
And I'm pretty certain most of those ended or resulted in customers bitching out the provider. Yet here we go again. Why? Well, that's simple: ad revenue.
My work here is dung.
Sounds like time to pick some semi-standard alternate port number and start setting up some alternate recursive DNS servers, something between alt.* and TOR.
Didn't RTFA, but lets call a spade a spade--this is typosquatting
I can't remember the last time I forgot anything.
Or is it Comcasted?
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
It was *MUCH* easier for me to sign up for basic TV + internet with Comcast than what I ended up doing. I wanted to keep everything at the magic $100/mo. number, so I went with AT&T - DirecTV partnership, where they give you DSL and a dish and DVR, and put it all on one bill. My DSL is 3Mb down/768kb up, where a Speakeasy test at my neighbor showed almost 12Mb down and nearly a full meg up. When he asked "why would you choose that?" - my answer was simple: Comcast.
AT&T doesn't touch my bandwidth. They don't cap it, they don't filter it - they aren't keeping a database of my URL lookups. That's worth a great deal to me - and Comcast will never get my business. I urge everyone else to do the same, even if it is some other DSL provider or dish provider.
I don't want to name names, but Netalyzr showed that several major ISPs already do this, and allows you to check for yourself what the behavior is on your network.
Comcast is following the lead of other major ISPs which have been doing this for some time now.
Test your net with Netalyzr
The sky isnt falling.
It is if you were foolish enough to believe that the RFC/protocol standards would be obeyed and wrote code that relies on a NXDOMAIN response to detect a bad hostname. Now you are going to an 'A' record that points to a Comcast server. This will break various applications but they don't give a damn because it's all about the ad revenue and who uses the internet for anything other than surfing anyway?
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Except for the bit where Comcast users not using Comcast DNS servers are unaffected, as per TFS.
Unless you're complaining that they could, in theory, redirect port 53. Frankly, anyone remotely familiar with how the Internet works should know that your ISP *could* completely and arbitrarily control any nonauthenticated protocol, including DNS.
No, it will only show those pages that have paid to be listed as what you want to see. (at least after an initial trial run)
This could easily be done in the browser in a non-evil way. When you type in a name and get a non-response, similar names typed after would be recorded. Then, when you make the same spelling error, gooogle.com, it takes you to where you want to go. Since it's in the browser, people could edit and share their commonly misspelled domain names.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
I speak from the perspective of being a RoadRunner user rather than a Comcast user, but RR implements a similar service. They have a link in the lower right of their results page where you can click to set your preferences and disable the "feature". Except just the other week that preference broke for me, and I was stuck with DNS hijacking. I phoned their customer service line, the person on the other end of the line had absolutely no idea what I was talking about.
DNS hijacking is a bit like Phorm without profiling really. Well, assuming there is no profiling. If there was profiling they'd make more money from the ads they'll inevitably insert there to "support" the service (Edit: oh look, they already have!). Personally I put this issue, along with Phorm in a whole category of problems related to the fact that we still don't secure and authenticate most of our activities on the internet (http, dns, yadayada). ISPs can do what they like and it's hard to stop them. Third-party DNS services seem to be the way to go recently. Of course without security/authentication your ISP can put a stop to that quite easily too.
This is all before you get in to the technical details of clients that may implement specific behavior for when bad DNS queries are expected to fail but don't.
True, for anyone tech savvy they would know better. But what about people that don't know better and that extra ad revenue. Will that be passed back to the customer? Absolutely not.
OpenDNS does exactly the same. (unless you register account and change it, but thats the case with this comcast thingie aswell)
You can opt out, you know. It says so right in the summary.
Also please don't use "evil" to describe things that are merely inconvenient. It greatly diminishes the horror and suffering people have gone through at the hands of real, actual evil.
When in doubt, keep trying. When rejected, keep trying. Enough people do this, it becomes the norm. Sad, but true.
ELOI, ELOI, LAMA SABACHTHANI!?
I noticed the summary mentioned several attempts that have failed, but makes no mention of other ISPs that are still doing it. Time Warner Cable is one that has been doing this for a while now (maybe a year?). Anyone know of others?
Providing a nice GUI on a DNS lookup fail is the job of the web browser not the DNS server. DNS is infrastructure not user interface.
OpenDNS does the exact same thing. To avoid DNS highjacking if you use OpenDNS, you have to have an account with them, change your preferences and always be identifiable to OpenDNS so that it can apply your preferences. It's easier to opt out at Comcast than to opt out at OpenDNS. Besides, OpenDNS also redirects www.google.com to OpenDNS servers, not just nonexistent domains.
It doesn't redirect you to a third-party site owned by the NSA; it redirects you to a third-party site, full stop. This not only breaks a whole host of applications relying on DNS to inform them that a domain name doesn't exist, but it is in violation of the standards that hold the Internet together.
Score: i, Imaginary
Why exactly does the ISP control DNS?
Given the shenanigans the ISPs and governmental authorities have been up to the last few years, I say we need to rethink TCP. You see, we've been assuming all along that ISPs are not malicious. We need to start assuming they are malicious. The new TCP protocol should only assume that all socket level data is sensitive and therefore must be encrypted as to both its contents AND its destination. This implies traffic shaping, onion routing and a public key based DNS
This is all done under the assumption that the DNS query is for an HTTP request.
What happens when other services run afoul of this setup?
For example: Is my POP client going to hand my login credentials to a Comcast server, if my email service's DNS does not resolve for some reason?
I use Level3's anycast dns resolvers. They are fast and work great. Pair them with a local dns cache and you'll be golden.
4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6
In case you don't know about anycast.
http://en.wikipedia.org/wiki/Anycast
"It is better to die on one's feet than to live on one's knees." - Albert Camus
No.
Knock this shit off and mods, wise the fuck up. Just because it has "open" in the name doesn't make it suddenly good and benevolent, They do the exact same fucking thing.
Anyone who's been on slashdot for more than a week or two probably has seen dozens of comments suggesting OpenDNS in cases like this, always modded up. Every single time people post corrections pointing out that they do the same thing. Does anyone ever listen?
Wise the fuck up
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
I use Earthlink for an ISP. I also know how to change my "default" DNS servers, so I don't have to deal with their antics.
If people don't like what the ISP does to things like this, they should either learn how to fix the problem (because their ISPs will simply say there IS no problem because it's functioning as it was designed to do) or look for another ISP.
Why do I stay with Earthlink? Simple:
Generally, I'm pleased with Earthlink.
When politicians are involved, everyone loses.
Why do these OpenDNS posts keep getting modded up? OpenDNS utilizes the very practices this article bemoans! If you query a domain that does not exist, your browser is redirected to OpenDNS's ad-laden spam site.
Despite their claims to the contrary, OpenDNS's servers are likely farther away from you than your local ISP's. They also keep permanent logs of all queries, which could be subpoenaed by a government entity. Their joke of a privacy policy allows them to sell your logs to "Affiliated Businesses", which pretty much means anybody. Not that it really matters - they could amend their privacy policy tomorrow morning and be selling your info by the afternoon.
I think many people read the "Open" part of the OpenDNS name and turn their brains off.
Just go to the site below and opt-out :)
https://dns-opt-out.comcast.net/
My ISP did it for a while. The problem was that it was badly implemented and increased to load on the upstream DNS services.
So if the middle layer DNS cache was empty and I asked for
mybank.com the bottom level DNS timed out and it failed over to the advertising page.
---
Think of searching on coke.com or any real address then the system failing and redirecting you to pepsi.com.
Think of the lawsuits. Think of the denial of service attacks possible
a) register not_mybank.com, have spoof of mybank.com page ready to launch
b) pay to have a fail on mybank.com route to not_mybank.com
c) denial of service attack to root servers for mybank.com, flip in your spoof page
d) have the ISP's magically send people to your spoof site from their saved URL's and collect passwords
Yeah this is a good idea.
Are you kidding, or do you work for OpenDNS?
Because I switched to OpenDNS because of people (you?) mentioning it here on Slashdot.
And then I noticed, that OpenDNS also does DNS redirection!
Any sufficiently advanced intelligence is indistinguishable from stupidity.
> Some may remember when VeriSign tried this back in 2003, where it also failed.
Not the same at all. VeriSign tried to do it with the TLD servers, which nobody can avoid. These guys are just doing it with their own servers, which you can bypass unless they block you. Even if they do you can, at least in theory, switch ISPs. They aren't likely to bother with blocking, though, because the number of people who will bypass is tiny.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Also, this statement from Comcast's blog is blatantly false:
Normally you would *never* "sit and wait for the Web browser to time out" (well, these *are* Comcast's DNS servers after all, so in this specific case it might be true). Normally, your browser would get a DNS resolution failure and show you a built-in error page instantaneously. Now, on the other hand, you have to wait until your browser goes off and loads a page of Comcast ads.
Domain Helper my a$$!
I've been a Comcast customer for HERBAL VIAGRA several years and have never had an issue with unsolicited REAL WEIGHT LOSS advertising of any kind.
If a domain name does not exist, I want my systems to receive an error telling them so, not be redirected to a system that they were not expecting to be directed to.
This screws with "what is valid URL". Basically, now all URL are valid. So for example you want "coke.com" anyway you mistype that request: cole.com, Coce.com, koke.com, cooke.com and ... will be a valid URL, even if it does not exist.
Another way of looking at this is cybersquatting. They are taking the whole URL domain. So if you have a new URL, guess where it will not show up for a long while.
And third you can think of it as "DNS poisoning", since if you are running your own DNS, comcast will be suppling you fake information, with its own time out.
OpenDNS is just as bad -- they do the same thing. The real solution is to change your DNS servers to use the L3 DNS servers at 4.2.2.1, 4.2.2.3, 4.2.2.4, 4.2.2.5, or 4.2.2.6, which are often faster than Comcast's anyway.
If you think it's OK to hijack DNS think about what happens if you mistype an email address, or what happens when your configured NTP server goes offline.
Me too.
Oh wait, Comcast doesn't have any competition for high-speed where I live.
Go go gadget free market!
Returned Peace Corps IT Volunteer
When opendns started it was precisely that - an open DNS system which even had its own set of free TLDs to play with.
Then they smelled money. And the rest is history.
Use the anycast DNS at 4.2.2.1, 4.2.2.2, etc. Run by Level3 who have plenty of money anyway and don't need to nickel and dime DNS for it.
Google "DNS recursive amplification" to see what I mean about the evils of open resolvers. Hell, even closing down recursion doesn't stop the madness since root hint amplification is being abused too.
We drop all IP traffic directed to our anycast IPs at our borders. You can't even ping them. query-source is not a listen-on address so it is impossible to get any type of response from our named. I predict most other ISPs being forced to do something similar. The poisoning threats are also ever on the horizon and this is another prudent safeguard.
... in addition to their modem MAC based opt-out mechanism, they:
Anyone that knows what they are doing, or finds out via information from some source (the provider not being obligated to supply this information), should be able to use the internet exactly as it was originally intended.
now we need to go OSS in diesel cars
The web page looks the same. You have to look at the DNS results (or the TCP connections) to see what's going on. If you're using Windows, open a command prompt and compare the outputs of
nslookup www.google.com 4.2.2.1
and
nslookup www.google.com resolver1.opendns.com
The first parameter is the query, the second is the server. 4.2.2.2 is the anycast address of one of Level3's DNS resolvers, which implement DNS correctly. The result of the second command is a CNAME under the opendns.com domain and an IP address which belongs to OpenDNS LLC (you can verify this by asking whois.arin.net for information about the address with a whois client).
If you don't believe it, try the commands for yourself:
-=-=-=-=-
overmind% nslookup
Default Server: localhost
Address: 127.0.0.1
> set querytype=a
> www.google.com
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
Name: www.l.google.com
Addresses: 74.125.53.147, 74.125.53.104, 74.125.53.99, 74.125.53.103
Aliases: www.google.com
> server 208.67.220.220
Default Server: resolver2.opendns.com
Address: 208.67.220.220
> www.google.com
Server: resolver2.opendns.com
Address: 208.67.220.220
Non-authoritative answer:
Name: google.navigation.opendns.com
Addresses: 208.69.36.230, 208.69.36.231
Aliases: www.google.com
-=-=-=-
Talking to my local DNS server, www.google.com resolved to IP addresses in the 74.125.0.0/16 netblock, which is assigned to Google.
Talking to resolver2.opendns.com, www.google.com resolved to 208.69.36.230 and 208.69.36.231, which have no reverse information, but are in the 208.69.32.0/21 netblock which is assigned to OpenDNS.
Yes, I see the wisdom of your post since you need to use the word "fuck" multiple times per sentence. You must be 100% correct, then. I salute your logic, sir.
________________________________ ___ _________ __ _______ _ ____ __ _ __ Darknight / _ \___ ____
You are blatnatly mistaken, sir.
Because your DNS tells you what the real IP address is, and in many locations, that is not what this "redirect" DNS service will lead you to. That may be a much nearer, but more bandwidth expensive location than Comcast wants you to use, or may not go through their monitoring and proxies and load balancers and most importantly, their _streaming video choking_ services. Comcast has established their willingness to interfere with bandwidth intensive services such as Bittorrent via SYN packats and other abuses: there's no reason to expect that they will provide this service for their customer's advantage, but rather for their own to guide traffic to their desired services.
This new 'service' Comcast is testing helps comcast identify its customers better which helps with the 250GB cap. The new DNS setup locks out hacked modems (unregistered modems) without spoofing as a legit modem. It also limits the speed cap from the cmts (node) end as well as the cable modem so no more uncapped 30megabit/s down and 10megabit/s up on a single modem without cloning a developer na modem.
The real conversation should not be about openDNS but how comcast is going out of its way to make sure it can identify which users are breaking the 250GB cap which ultimately forces many of the not so legit comcast users who like their anonymity to spoof as someone else on the same network and therefor ultimately putting blame on the wrong person when comcast issues an abuse suspend. It is ironic really.
It may sound like a completely separate subject but by comcast playing with its dns forwarding has much bigger back end changes that seem not related but in fact are.