Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bell Starts Hijacking NX Domain Queries

Posted by timothy on from the opendns-dot-org-is-a-nice-resource dept.

inject_hotmail.com writes "Bell Canada started hijacking non-existent domains (in the same manner as Rogers), redirecting NX-response queries to themselves, of course. Before opting-out, you get their wonderfully self-promoting and self-serving search page. When you 'opt-out,' your browser receives a cookie (isn't that nice) that tells them that you don't want the search page. It will still use their broken DNS server's non-NX response, but it will show a 'Domain Not Found' mock-up page that they (I surmise) tailor to your browser-agent string. During the opt-out process, they claim to be interested in feedback, but provide no method on that page (or any other page within the 'domainnotfound.ca' site) to contact them with complaints. They note that opting-in is 'recommended' (!), and that 'In order for opt-out to work properly, you need to accept a "cookie" indicating that you have opted out of this service. If you use a program that removes cookies, you will have to repeat this opt-out process when the cookie is deleted. The cookie placed on your computer will contain the site name: "www.domainnotfound.ca."' Unfortunately most Bell Internet users won't understand the difference between their true NX domain response, and Bell's injected NX response."

12 of 310 comments (clear)

  1. Thank god I don't work there anymore by Drakkenmensch · · Score: 4, Insightful

    You wouldn't believe the amount of angry customer calls I had escalated to me by people who think that computers, modems and internet service are all the same things and I was responsible for all of them. If you want me to share them with you, bring lots of hard liquor - you're going to need it.

  2. If true, a SERIOUSLY broken opt-out... by nweaver · · Score: 5, Insightful

    If this is a true description of the opt-out, it is SERIOUSLY broken.

    Simply put, any opt-out mechanism MUST enable the user's computer to properly receive an NXDOMAIN response. Because the problem is NOT the advertising web page on a web browser typo for http, but all the other things that do DNS lookups.

    For example, NXDOMAIN wildcarding even snagged and confused Dark Tangent into thinking that someone was trying to MitM the Defcon forums!

    I can accept an ISP doing this only under the following conditions:

    a) The opt-out is a one-click item on the page

    b) The opt-out is perminent and for all connected through that IP/customer link

    c) The opt-out is a real opt-out which will cause NXDOMAIN responses to be properly returned as NXDOMAIN.

    This clearly fails B and C.

    --
    Test your net with Netalyzr
    1. Re:If true, a SERIOUSLY broken opt-out... by TheRaven64 · · Score: 3, Insightful

      I'm not sure how an opt out that uses cookies is supposed to work. My mail client, for example, does a DNS lookup for smtp.domainwithtypoinname.com. The resolver on my machine sends a UDP packet containing the DNS request to the DNS cache. The DNS cache replies with NXDOMAIN. The function called by my mail client returns failure. How does the DNS cache get hold of the cookie to know that it should return the real NXDOMAIN?

      Hopefully the root servers will start using DNSSec soon, so the resolver can just flag these and the libc functions can return the same kind of failure as they would for an NXDOMAIN reply.

      --
      I am TheRaven on Soylent News
    2. Re:If true, a SERIOUSLY broken opt-out... by John+Hasler · · Score: 3, Insightful

      The doofuses behind this are unaware of the existence of any software other than a browser that uses DNS. They would tell you that DNS is part of the Web.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  3. Re:From a typical web surfer's point of view by nicolas.kassis · · Score: 4, Insightful

    This should be handled at the infrastructure level. DNS doctoring is bad for many reason. I'm sure a firefox or IE addon would actually be much more preferable. Something easy to dis-activate when things break.

  4. Re:From a typical web surfer's point of view by qortra · · Score: 5, Insightful

    These pages are helpful for the typical web surfer

    How is that? By encouraging them to use a search engine with which they are unfamiliar, or by leading them away from their intended target with advertising. Look at the Sample Page again, and explain to me the utility in that crap. Domain errors should ideally result in a big red "X" so the user knows to turn around and try again.

    In fact, an automatic URL "fixing" service would be one of those revolutionary Web 2.0 features that exists in the recesses of the web, part of the infrastructure and totally natural to use.

    Now this is an interesting idea. Let me tell you the best way to handle this - on the client side, after the proper DNS opportunities have been exhausted. This is because the client best knows the users browsing proclivities (most often viewed pages, favorite search engines, etc).

  5. Re:From a typical web surfer's point of view by superdana · · Score: 4, Insightful

    This isn't about the web, this is about the Internet--there's a difference. The web is just one tiny piece of the Internet, and there are 65,000 other services that require a properly functioning domain name system. Screwing it up in a way that only "works" for the web is totally unacceptable.

  6. Re:Does the Taco add on work here? by characterZer0 · · Score: 2, Insightful

    It does not work for every non-browser application that uses DNS.

    --
    Go green: turn off your refrigerator.
  7. Re:From a typical web surfer's point of view by blueg3 · · Score: 2, Insightful

    How is the only protocol affected HTTP? When a DNS query is made, it doesn't state what it's for -- regardless of the protocol to come, the DNS query is the same. Yet when an NX should be returned, a valid but incorrect response is returned. This is quite a significant difference.

  8. This ought to be illegal by Baron_Yam · · Score: 2, Insightful

    DNS is recursive, right? Starting with the TLD servers, then downwards. Someone upstream of Bell is returning a 'domain not found' and Bell is intercepting that and modifying it.

    I understand that you're using Bell's local DNS servers to start the search, but the effect is the same as them intercepting and modifying your communications.

    ISPs doing this kind of crap should get sued under whatever law most closely applies.

  9. Re:And yet I don't see it by Kozz · · Score: 2, Insightful

    DNS doctoring is bad for many reason.

    Just because a domain exists doesn't mean it's the one you wanted. Think of all those properly registered phishing sites out there, just waiting for a user typo. What's the difference between them and a DNS search redirect? If anything, this highlights the broken behavior of using the (non-)existence of a domain name for anything useful. You really care about whether you got the RIGHT site, not just *a* site.

    Oh, I see... so then Bell can decide for me whether I'm about to see the "right" site? Yeah, that WOULD be helpful. Thankfully it will be easy to agree on what's the "right" and "wrong" sites. No problem there.

    [/sarcasm]

    --
    I only post comments when someone on the internet is wrong.
  10. This broke Safari's domain completion feature by mikeloader · · Score: 2, Insightful

    This change breaks the URL completion feature in Safari where if you type "cnn", Safari automatically displays "cnn.com". If you type a URL that is in your browser history, then of course Safari will auto complete it before submitting the http request, but if it's a domain you haven't visited before, you now get the useless Bell page instead of the page you really wanted. Does Bell just use Internet Explorer? If they were Mac users, they wouldn't have done this.