Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bell Starts Hijacking NX Domain Queries

Posted by timothy on from the opendns-dot-org-is-a-nice-resource dept.

inject_hotmail.com writes "Bell Canada started hijacking non-existent domains (in the same manner as Rogers), redirecting NX-response queries to themselves, of course. Before opting-out, you get their wonderfully self-promoting and self-serving search page. When you 'opt-out,' your browser receives a cookie (isn't that nice) that tells them that you don't want the search page. It will still use their broken DNS server's non-NX response, but it will show a 'Domain Not Found' mock-up page that they (I surmise) tailor to your browser-agent string. During the opt-out process, they claim to be interested in feedback, but provide no method on that page (or any other page within the 'domainnotfound.ca' site) to contact them with complaints. They note that opting-in is 'recommended' (!), and that 'In order for opt-out to work properly, you need to accept a "cookie" indicating that you have opted out of this service. If you use a program that removes cookies, you will have to repeat this opt-out process when the cookie is deleted. The cookie placed on your computer will contain the site name: "www.domainnotfound.ca."' Unfortunately most Bell Internet users won't understand the difference between their true NX domain response, and Bell's injected NX response."

6 of 310 comments (clear)

  1. Waiting for DNSSEC... by Timothy+Brownawell · · Score: 5, Informative

    Isn't this sort of forgery exactly what DNSSEC is supposed to prevent?

    (And no, don't go suggesting DNSCurve. It doesn't protect against your ISPs caching resolver being malicious like this.)

  2. Re:openDNS by vslashg · · Score: 5, Informative

    I'm not sure if this is a troll or not, but just in case it isn't: openDNS does the same sort of hijacking.

  3. Re:Detect and fix DNS hijacks locally? by pipatron · · Score: 5, Informative

    I use dnsmasq on my router, you could use it locally as well. It has a --bogus-nxdomain=<ipaddr> option that you can use for this purpose.

    --
    c++; /* this makes c bigger but returns the old value */
  4. Re:From a typical web surfer's point of view by jimicus · · Score: 5, Informative

    The web is an incredibly huge piece of the internet.

    Please tell us about these 65,000 other services that need a properly functioning DNS. Since the only protocol affected here is HTTP, and the only applications that use invalid URLs are either human-driven (browsers) or malware, I suggest that the NX response is fundamentally outdated and useless.

    Not true. The DNS doesn't know if the thing making a request is a web browser or something else, so it affects literally every protocol. SMTP, POP3, SMB, everything. Only now, when you try to debug something like that it looks like the server does exist, it's just ignoring SMTP connections. You spend ages barking up completely the wrong tree.

    Even more fun is if the person affected is trying to work from home over a VPN link. If it's set up for split tunnelling, it'll try to resolve a hostname using the default DNS first and only if that fails will it try the VPN. Hint: Windows uses DNS to resolve hostnames for fileshares. All of a sudden, internalhost.yourcompany.com resolves on the public internet and they're trying to save their files to a server that's run by their ISP (and, naturally, isn't offering any SMB fileshares). Cue a bunch of angry calls to the helpdesk.

  5. Re:Legal? by RedK · · Score: 5, Informative

    How did this ever get +5 ? Seriously, if you register a non-existant domain, they won't hi-jack you. First, there's this thing called TTL on requests, when a DNS server caches a response from an authoritative source, it is not permanent. It has a Time to Live, defined in the Start of Authority in the zone on the master server or on the entry itself. So after a while, the DNS server will query the authoritative source again to make sure its answer is still correct and up to date. This is also implemented for NXDOMAIN queries, as defined in RFC2308. Section 3 is specific that NXDOMAIN queries should also return the SOA and that the receiving cache is to use the minimum TTL (the last value in the SOA). The default on this is 3600 seconds, or you guessed it, 1 hour. Since your domain will take 24-48 hours to show up on the ccTLDs or gTLDs anyhow, 1 hour isn't going to make or break anything as far as caching a NXDOMAIN answer and anyway, you wouldn't have gotten that traffic to begin with.

    --
    "Not to mention all the idiots who use words like boxen."
    Anonymous Coward on Monday August 04, @06:49PM
  6. Re:Well, that's the bad old bell... by Anonymous Coward · · Score: 5, Informative

    Not happy with Rogers at all. But don't have any alternatives where I live.

    If you're on Rogers, use 64.71.255.202 as a DNS server. It's the non-hijacking server they set up after many users complained the re-directing was buggering up remote workers and VPN users.

    It won't be pushed out through DHCP, but it works fine as a static setting.