Slashdot Mirror

← Back to Stories (view on slashdot.org)

Comcast DNS Redirection Launched In Trial Markets

Posted by timothy on from the looks-like-you-want-xxy-porn dept.

An anonymous reader writes "Comcast has finally launched its DNS Redirector service in trial markets (Arizona, Colorado, New Mexico, Oregon, Texas, Utah, and Washington state), and has submitted a working draft of the technology to the IETF for review. Comcast customers can opt-out from the service by providing their account username and cable modem MAC address. Customers in trial areas using 'old' Comcast DNS servers, or non-Comcast DNS servers, should not be affected by this. This deployment comes after many previous ISPs, like DSLExtreme, were forced to pull the plug on such efforts as a result of customer disapproval/retaliation. Some may remember when VeriSign tried this back in 2003, where it also failed."

23 of 362 comments (clear)

  1. malware by sopssa · · Score: 5, Insightful

    Another great press release about how it will be helpful and a "service" for users, while the main purpose is just to gather extra advertisement revenue (while breaking internet standards). I mean, this is what malware do. Oh well, atleast these non-us ISP's dont do such dirty acts to their customers here. Time to voice your opinion maybe?

    1. Re:malware by sopssa · · Score: 5, Informative

      In what way is this relevant to OpenDNS? They actually do the same dirty trick aswell. Just because they have "open" in their name doesn't mean they're great and everyone should use them. They run their DNS servers to make profit from non-existing domains and hell, they even redirect requests to google.com to their own servers.

      Thankfully there are open dns servers that dont do such either, for example university in Gothenburg, Sweden: 129.16.1.53 and 129.16.2.53 and several others. Those that have the technical knowledge can also set up their own dns recursive dns servers on their linux box and use those directly (while it fetches the results from root servers)

    2. Re:malware by Anonymous Coward · · Score: 5, Funny

      I tried to find this RFC, but when i opened the page, it redirected me to some 404 search page for my ISP.

    3. Re:malware by Anonymous Coward · · Score: 5, Interesting

      Just wanted to remind everybody that a few weeks ago, another slashdot article about comcast DNS hijacking appeared, and everybody wound up calling this specific blogger a liar.

      What if before introducing mass trials, they randomly selected MAC IDs and did this in specific locations? Perhaps that blogger actually did break news.

      But then, it wouldn't be the first time we trolled a legitimate story because its legitimacy was hard to validate at the time. :)

      Also, this discredits Comcast's massive twitter efforts as ComcastBonnie so kindly made a slashdot account after seeing the twitter output from the article, and told us that the engineers promised no form of DNS hijacking was underway. Underway or not, it was certainly being planned, and coverups should not be appreciated.

      Just my two cents

  2. Here We Go Again by eldavojohn · · Score: 5, Informative

    Some may remember when VeriSign tried this back in 2003, where it also failed.

    Oh yeah, way back in the day. But let us not forget Earthlink's attempt at this or Canadian Rogers Cable or Charter or NJ Cabelvision or ... I'm sure you could find no end to this stream of providers offering their customers something the customers simply do not want.

    And I'm pretty certain most of those ended or resulted in customers bitching out the provider. Yet here we go again. Why? Well, that's simple: ad revenue.

    --
    My work here is dung.
    1. Re:Here We Go Again by northernboy · · Score: 5, Informative

      If I'm not mistaken (although I often am, sorry in advance) Cox has been doing this for months now, and nobody posted anything about that. If I 'typo' a URL at home, when connected via my (or my neighbor's) Cox cablemodem, I get a Verisign page indicating that www.whateveriswas.com is Under Construction.

      Is this not muchly the same thing??

      It pisses me off, but not enough to hunt down a better alternative.

    2. Re:Here We Go Again by rminsk · · Score: 5, Informative

      To "opt-out" all you have to do is change the last octet of the DNS servers they supply to you to 14. So if Verizon default DNS server is 123.123.123.12 change it to 123.123.123.14.

  3. Call it what it is by wilsoniya · · Score: 5, Interesting

    Didn't RTFA, but lets call a spade a spade--this is typosquatting

    --
    I can't remember the last time I forgot anything.
    1. Re:Call it what it is by Zontar_Thing_From_Ve · · Score: 5, Interesting

      This reminds me of a little known incident that happened in the mid 1990s. For a while, AT&T ran a service called 1-800-OPERATOR where you could call this number and get AT&T to connect you to a long distance call. For those who don't know, we're required (at least in most of the USA if not all of it) to pick a long distance service provider. That company does not have to be who you get local telephone service from. It was possible to place long distance calls with someone other than your long distance provider by simply dialing an access number that belonged to that company and you would get billed for the call from that company. So for example you might have, say, BellSouth as your long distance provider, but you could dial an access number and place calls on Sprint if Sprint offered a better rate. No need to change providers that way. So AT&T decided that it would be smart to get in on this too and lower their rates. So the way it worked was that you called 1-800-OPERATOR and someone at AT&T would connect you to your long distance call and charge you whatever rate AT&T had for the service. AT&T promoted this service on national television commercials and spent a lot of advertising money on it. Anyway, I had a friend at the time who worked for MCI in their marketing department. She told me that MCI had reserved the telephone number that corresponded to 1-800-OPERATER. MCI spent zero dollars advertising and simply waited for people who couldn't spell to call that number and they placed the call for the person and made the money off it. She told me "You would not believe how much money we made off this". Some months after the campaign started, AT&T quietly pulled the plug on it. I always assumed that too many people couldn't spell "operator" correctly and they were tired of giving business to MCI for nothing.

    2. Re:Call it what it is by typosquatting · · Score: 5, Interesting

      Totally agreed - it is absolutely typosquatting on a massive scale.

      Many people don't realize that there's TONS of traffic going to typo domains (whether registered or not). For instance, youtuve.com (notice the v instead of the b) got 358,751 visitors over the last 31 days. It redirects to another domain for cloaking purposes, but here is the traffic report. This level of traffic provides the financial incentive to implement these DNS schemes.

      By the way, there's a new, free typosquatting scan tool at aliasencore.com. It shows you all the registered .COM domain names that are one character misspellings of any Alexa top 100,000 site you enter. It also displays screenshots of those typosquatting sites. It's a nifty way to get a quick idea of the rampant growth of typosquatting. Here's an example that shows the 431 registered .COM domain names that are one character away from google.com.

      Full disclosure: I am Graham MacRobie, the CEO of Alias Encore, Inc. We help companies recover cybersquatting domain names, but we focus solely on "slam-dunk" typosquatting cases (obviously only registered domain names). I can speak from personal experience in this field that the very last thing we need is wholesale typosquatting at the DNS level.

  4. A LOT of ISPs already do this... by nweaver · · Score: 5, Informative

    I don't want to name names, but Netalyzr showed that several major ISPs already do this, and allows you to check for yourself what the behavior is on your network.

    Comcast is following the lead of other major ISPs which have been doing this for some time now.

    --
    Test your net with Netalyzr
  5. Re:The Sky isn't faling. by Shakrai · · Score: 5, Interesting

    The sky isnt falling.

    It is if you were foolish enough to believe that the RFC/protocol standards would be obeyed and wrote code that relies on a NXDOMAIN response to detect a bad hostname. Now you are going to an 'A' record that points to a Comcast server. This will break various applications but they don't give a damn because it's all about the ad revenue and who uses the internet for anything other than surfing anyway?

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  6. Re:The Sky isn't faling. by Maximum+Prophet · · Score: 5, Interesting

    No, it will only show those pages that have paid to be listed as what you want to see. (at least after an initial trial run)

    This could easily be done in the browser in a non-evil way. When you type in a name and get a non-response, similar names typed after would be recorded. Then, when you make the same spelling error, gooogle.com, it takes you to where you want to go. Since it's in the browser, people could edit and share their commonly misspelled domain names.

    --
    All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
  7. Re:So should... by sopssa · · Score: 5, Informative

    OpenDNS does exactly the same. (unless you register account and change it, but thats the case with this comcast thingie aswell)

  8. Re:I just signed up the competition... by plaiddragon · · Score: 5, Informative

    AT&T ... they aren't keeping a database of my URL lookups7.

    Until the NSA asks them to. Let's not pretend that AT&T isn't evil.

    --
    * * * --they cant all be your best, that would be confusing
  9. Re:So should... by Anonymous Coward · · Score: 5, Informative

    OpenDNS does the exact same thing. To avoid DNS highjacking if you use OpenDNS, you have to have an account with them, change your preferences and always be identifiable to OpenDNS so that it can apply your preferences. It's easier to opt out at Comcast than to opt out at OpenDNS. Besides, OpenDNS also redirects www.google.com to OpenDNS servers, not just nonexistent domains.

  10. Re:The Sky isn't faling. by doshell · · Score: 5, Informative

    It doesnt redirect you to another 3rd party site owned by the NSA, it simply provides a web GUI that suggest sites on what the system thought you wanted to see.

    It doesn't redirect you to a third-party site owned by the NSA; it redirects you to a third-party site, full stop. This not only breaks a whole host of applications relying on DNS to inform them that a domain name doesn't exist, but it is in violation of the standards that hold the Internet together.

    --
    Score: i, Imaginary
  11. Re:So should... by Sir_Lewk · · Score: 5, Insightful

    No.

    Knock this shit off and mods, wise the fuck up. Just because it has "open" in the name doesn't make it suddenly good and benevolent, They do the exact same fucking thing.

    Anyone who's been on slashdot for more than a week or two probably has seen dozens of comments suggesting OpenDNS in cases like this, always modded up. Every single time people post corrections pointing out that they do the same thing. Does anyone ever listen?

    Wise the fuck up

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  12. Re:So should... by seizurebattlerobot · · Score: 5, Informative

    Why do these OpenDNS posts keep getting modded up? OpenDNS utilizes the very practices this article bemoans! If you query a domain that does not exist, your browser is redirected to OpenDNS's ad-laden spam site.

    Despite their claims to the contrary, OpenDNS's servers are likely farther away from you than your local ISP's. They also keep permanent logs of all queries, which could be subpoenaed by a government entity. Their joke of a privacy policy allows them to sell your logs to "Affiliated Businesses", which pretty much means anybody. Not that it really matters - they could amend their privacy policy tomorrow morning and be selling your info by the afternoon.

    I think many people read the "Open" part of the OpenDNS name and turn their brains off.

  13. it can fail badly by RichMan · · Score: 5, Interesting

    My ISP did it for a while. The problem was that it was badly implemented and increased to load on the upstream DNS services.

    So if the middle layer DNS cache was empty and I asked for
        mybank.com the bottom level DNS timed out and it failed over to the advertising page.

    ---
    Think of searching on coke.com or any real address then the system failing and redirecting you to pepsi.com.

    Think of the lawsuits. Think of the denial of service attacks possible
          a) register not_mybank.com, have spoof of mybank.com page ready to launch
          b) pay to have a fail on mybank.com route to not_mybank.com
          c) denial of service attack to root servers for mybank.com, flip in your spoof page
          d) have the ISP's magically send people to your spoof site from their saved URL's and collect passwords

    Yeah this is a good idea.

  14. What about non-HTTP? by slushdork · · Score: 5, Interesting
    I'm a Comcast "customer" in an affected "market" (Colorado). How will this affect DNS resolution requests for non-HTTP purposes? There is no way for the Comcast DNS servers to know what a DNS name resolution request is for: it could be for HTTP, or it could be for SSH, FTP, etc. So if I mis-type an FQDN hostname in an SSH command, will the DNS resolution request now suceed? Previously SSH would fail with a "cannot resolve hostname" error or something similar. Will it now try to connect with SSH to the Comcast "domain helper" servers? What about its effects on local DNS caching servers (e.g. dnsmasq)?

    Also, this statement from Comcast's blog is blatantly false:

    Despite the fact that web addresses are easier to remember than their IP address counterparts, sometimes you mistype an address. Let's say you type in http://www.comtcas.com/ (instead of http://www.comcast.com./ Normally you then sit and wait for the Web browser to time out, then you receive an error message that the site does not exist, and then you have to retype the correct address.

    Normally you would *never* "sit and wait for the Web browser to time out" (well, these *are* Comcast's DNS servers after all, so in this specific case it might be true). Normally, your browser would get a DNS resolution failure and show you a built-in error page instantaneously. Now, on the other hand, you have to wait until your browser goes off and loads a page of Comcast ads.

    Domain Helper my a$$!

  15. Re:The Sky isn't faling. by SCHecklerX · · Score: 5, Insightful

    If a domain name does not exist, I want my systems to receive an error telling them so, not be redirected to a system that they were not expecting to be directed to.

  16. Re:I'm done. I'll be switching as soon as possible by griffjon · · Score: 5, Insightful

    Me too.

    Oh wait, Comcast doesn't have any competition for high-speed where I live.

    Go go gadget free market!

    --
    Returned Peace Corps IT Volunteer