Slashdot Mirror
Bell Starts Hijacking NX Domain Queries
inject_hotmail.com writes "Bell Canada started hijacking non-existent domains (in the same manner as Rogers), redirecting NX-response queries to themselves, of course. Before opting-out, you get their wonderfully self-promoting and self-serving search page. When you 'opt-out,' your browser receives a cookie (isn't that nice) that tells them that you don't want the search page. It will still use their broken DNS server's non-NX response, but it will show a 'Domain Not Found' mock-up page that they (I surmise) tailor to your browser-agent string. During the opt-out process, they claim to be interested in feedback, but provide no method on that page (or any other page within the 'domainnotfound.ca' site) to contact them with complaints. They note that opting-in is 'recommended' (!), and that 'In order for opt-out to work properly, you need to accept a "cookie" indicating that you have opted out of this service. If you use a program that removes cookies, you will have to repeat this opt-out process when the cookie is deleted. The cookie placed on your computer will contain the site name: "www.domainnotfound.ca."' Unfortunately most Bell Internet users won't understand the difference between their true NX domain response, and Bell's injected NX response."
Well, that's the bad old ma Bell that's still alive and kicking in Canada.
These pages are helpful for the typical web surfer. In fact, an automatic URL "fixing" service would be one of those revolutionary Web 2.0 features that exists in the recesses of the web, part of the infrastructure and totally natural to use.
Yes, it breaks some scripts and runs contrary to published standards, but it presents a new (actually pretty old) conception of how the web should work.
You wouldn't believe the amount of angry customer calls I had escalated to me by people who think that computers, modems and internet service are all the same things and I was responsible for all of them. If you want me to share them with you, bring lots of hard liquor - you're going to need it.
The Deutsche Telekom / T-Online does exactly the same in Germany.
Love over Gold.
Taco stands for Targetted Advertising Cookie Opt-Out. It is a firefox addon that keeps a generic, non-user specific cookie opting out of the things that need cookies to opt out of.
excitingthingstodo.blogspot.com
If this is a true description of the opt-out, it is SERIOUSLY broken.
Simply put, any opt-out mechanism MUST enable the user's computer to properly receive an NXDOMAIN response. Because the problem is NOT the advertising web page on a web browser typo for http, but all the other things that do DNS lookups.
For example, NXDOMAIN wildcarding even snagged and confused Dark Tangent into thinking that someone was trying to MitM the Defcon forums!
I can accept an ISP doing this only under the following conditions:
a) The opt-out is a one-click item on the page
b) The opt-out is perminent and for all connected through that IP/customer link
c) The opt-out is a real opt-out which will cause NXDOMAIN responses to be properly returned as NXDOMAIN.
This clearly fails B and C.
Test your net with Netalyzr
does anyone know if they're applying this to other ISP who lease bandwidth from bell? Such as Teksavvy and the like? I'm switching from bell anyhow, but I'd be pissed if they force that on other ISPs too (along with throttling).
Browsers can take care of this quite well!
I think they mostly do.
Or put otherwise, this is a pretty heavy solution to the problem, if the problem is what it is to solve -- unlikely.
Stephan
http://stephan.sugarmotor.org
Embarq does the same thing with their DSL:
http://search.embarq.com/index.php?origURL=http://lkwkerwer.com/
Better known as 318230.
Is there any way a local caching name server can detect this brokenness and return the right answer? I seem to remember some bind configs a few years back that would do that but I'm not sure if they would still work.
Or maybe a firefox plugin could detect this damage and restore the original, correct behavior somehow.
Isn't this sort of forgery exactly what DNSSEC is supposed to prevent?
(And no, don't go suggesting DNSCurve. It doesn't protect against your ISPs caching resolver being malicious like this.)
This is what I find interesting/scary about this. Search for "Microsoft" from that webpage. Of course the first hit is from www.microsoft.com and if you look carefully you can see that it is sponsored. But the fourth hit down is for a sponsored link.
Microsoft Help & Support 1-888-935-4306
Get Microsoft Technical Help & Support by Expert 24x7, Call now !!
Sponsored by: www.iyogi.net
Very interesting that they mix sponsored and regular hits. I thought normally these were at the top of the results page and separated by bars/colors/lines/fonts.
Maybe I'm misunderstanding, but I get the impression from the summary that Bell is hijacking domain queries, meaning that users can't easily choose not to use their provider's DNS services. So the idea is that, even if you choose to use another DNS provider, Bell will intercept your query and give you their own response.
Not that there aren't ways around it, but why should users have to try to figure out ways around something like this? An ISP shouldn't be intercepting your traffic without your permission.
I'm not sure if this is a troll or not, but just in case it isn't: openDNS does the same sort of hijacking.
Using other services like OpenDNS is a certainly one way to go, but last time I checked they had issues when it came to IPv6. Does anyone know any IPv6 friendly open DNS servers?
Jumpstart the tartan drive.
Don't get me wrong. I don't like this practice. But I do not know what the technical issues are with doing this. Are there security concerns? How does it break stuff? Also, does anyone know if complaints have been filed with the CRTC or if this practice is contrary to CRTC rules?
Bell's current business model pretty much relies on people not caring about the shit they pull.
It's sort of interesting (or infuriating depending if I'm trying to use the internet..). My new ISP makes it no secret they hate everything Bell does. I think that largely has to do with them leasing their lines from Bell, and having their service screwed up when Bell does things of this nature. I imagine I'll be getting an email from my ISP soon telling me who to complain to about the service getting buggered yet again. Thanks Bell, I'll be by your office in the morning with a fresh cinderblock. I see you replaced your front window from the last time I put one through it.
And that was the last Terry Fox run I ever participated in.
If you're using TekSavvy, then you're using TS's DNS servers, so your query goes to TS's DNS server which should respond with NXDOMAIN. You aren't even contacting the Bell DNS, so there's no opportunity for them to interfere.
It's possible, since Bell controls the last mile, that they could intercept NXDOMAIN results going to your machine and replace them using DPI, but I can't see how they'd get away with that without being in violation of CRTC rules about changing the meaning of communication. And, at least for me on Primus, this doesn't seem to be the case (yet).
I have just read a article, about a children getting a possible 10 years sentence to open a hardware to install software on it. And now I am reading this? I am angry, very angry, please _jail time_ for the people that has taken this decission in Bell!, NOW!.
Can we get a fair world, please?
-Woof woof woof!
Then you've never used Cisco's VPN client.
Hint: Connecting to internal-machine.yourcompany.com over the VPN doesn't work when internal-machine.yourcompany.com can be resolved from outside the company.
Er, OpenDNS does exactly this. Only I don't think it has an opt-out.
All intents and purposes. Not intensive purposes.
Maybe I'm misunderstanding, but I get the impression from the summary that Bell is hijacking domain queries, meaning that users can't easily choose not to use their provider's DNS services.
Your ISP always provides a couple of caching DNS resolvers, and it tells your computer about them when you get your IP address (ie, provided by the DHCP server). So your computer will by default send all DNS queries through your ISPs DNS resolvers, and they can send you whatever garbage results they want.
This is most likely "only" Bell making their DNS resolvers (that everyone uses, because they're the default) malicious, and not them redirecting traffic mean for other DNS servers to their servers.
How is this cookie supposed to work for lookups from apps other than a web browser?
I am becoming gerund, destroyer of verbs.
127.0.0.1 block.opendns.com
127.0.0.1 guide.opendns.com
OpenNIC offers free, open, and democratic domain name services. No redirects like your favorite ISP or OpenDNS (and to think these used to be the "good" guys back in the days of everydns.net). All ICANN domains, plus a good helping of alternate roots (including OpenNIC) as a bonus. The OpenNIC DNS network is slowly building, with servers around the world
Using your ISP's name servers is so passe. They'd like the masses to think that's the only choice.
OpenDNS only does this if you use their filtering options. If you use just the standard straight up dns service you can opt out.
I'm not a fan of OpenDNS because they also do NXDOMAIN wildcarding.
However, they do have a working opt-out in the OpenDNS dashboard, however you need to use their notification mechanism so they can track where you are to maintain the opt-out.
Test your net with Netalyzr
So, what happens if I buy ping a domain that doesn't exist? Presumably this will then cache the DNS NXDOMAIN reply. If I then buy the domain, set up a DNS entry, and then try to connect to it, I will get their sever instead of mine. This sounds like it would fall foul of computer misuse laws; intentionally hijacking a connection. The presence of ads means that they're doing it for commercial purposes, which usually carries a heavier sentence. Other ISPs will not be breaking these laws, because they will just be inadvertently blocking my connection, rather than hijacking it.
I am TheRaven on Soylent News
Really?
I don't know anyone that uses DNS servers that aren't provided by their ISP, unless they have some specific need to do otherwise.
I mean, other than in cases like this, what does it get you?
It does, but you need an account to opt out. Though I've never tried it so I'm not sure if their "opt-out" is smart enough to register the IP address you're connecting from and add it to a list of "addresses not to break DNS for" or if it's a similar "mock-up a browser page".
And it is especially difficult to get it to stop. You can, but you have to turn off every feature they offer beyond bare DNS.
Of course, they do provide quite good bare DNS, so that's not a terrible thing, but it would be much better if their "helpful" services were opt-in.
I don't know what kind of crack I was on, but I suspect it was decaf.
Like others have said, OpenDNS does this same thing, it shows you a Yahoo search page, and if you are one of those F5ck Mycr0$of7 types, then that will be a Bing search soon.
I just set mine up with OpenDNS to see, and there doesn't seem to be an Opt-Out for it. And none of their options are really that nifty, they can all be done within your Router, and/or within your Browser settings.
> I mean, other than in cases like this, what does it get you?
You'd be amazed at how bad the DNS of some ISPs can be.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
For those of you who want to let Bell hear a bit of your mind, the comments form is here:
https://www.bell.ca/support/PrsCSrvInt_CtUs_Eform.page
The first hit for me is the wonderful errornerd.com, which can fix these errors if you download their registry utility.
They can even fix a host of other errors, even 404s and errornerd.com is a fraud errors.
Are you a grammar Nazi? I'm trying to improve my English; please correct my errors!
This...
When you "opt-out", your browser receives a cookie (isn't that nice) that tells them that you don't want the search page. It will still use their broken DNS server's non-NX response, but it will show a 'Domain Not Found' mock-up page that they (I surmise) tailor to your browser-agent string. ...is just ****ing unacceptable. That's not ****ing opting out.
Bresnan Communications pulls this same crap. The only way to opt-out is accept thier cookie.
I spent June in Toronto and Ottawa with friends and my family, all of whom have internet service provided by Rogers. Now I have a bunch of type-o URLs in FF's history when I'm typing the in the address bar. Anybody in the province who can get DSL should go to Teksavvy where you'll get good service and none of this crap.
Viewed in the context of net neutrality -- how can there be net neutrality if they don't even provide net access
according to the semantics of the protocols?
Stephan
http://stephan.sugarmotor.org
...Cavtel (for some reason, the only DSL available in my office building, even though I can see the Verizon CO 1000 yards away from my window) does this same BS and it drives me nuts, I just changed the DNS servers returned by our DHCP box and voila.
Broken, and boneheaded, but solved with a small amount of work. Still, it's something I shouldn't have had to bother with, and the whole "breaking the Internet" thing is a problem -- they should no longer be able to classify themselves as an "Internet Service Provider" since they're not doing a reasonable job at it.
That is unlikely. I think it would require deep packet inspection to work. You do not really need your provider's DNS (although it is useful when it works properly). You should be able to run a minimal DNS server locally and set it to bypass your ISP and go to higher level servers.
Free fast Public DNS Servers List
Personally I use 4.2.2.1 and 4.2.2.2 due to them being easy to remember
Lorem ipsum dolor sit amet, consectetuer adipiscing elit.
Optimum online, and Verizon internet services in my area have been doing this for awhile. You're telling me this isn't business as usual? I get that the opt out method is pretty stupid, but at least they have an opt out option.
Paytec/McCloud telco does this here in the states.
There's an easy solution for that. When I want to visit slashdot, I type in:
http://216.34.181.48/"
Or google:
http://74.125.95.103
or, if that's too slow:
http://74.125.95.105
Is that too hard to remember?
OK, kidding aside, I agree - The DNS system's a mess. I'd like to see something where typo-trolls could be shut down, but that's not simple. Without writing a thesis on the subject here, it's pretty damned complicated. But, stopping DNS-folks from parking on domains is simple as long as we (regionally) rule on whether or not they're allowed. Right now, they are. That pisses off most slashdot folks, but not most of the general public. So, we tolerate it and come here to bitch and whine. /bitch-and-whine
He's getting rather old, but he's a good mouse.
I'm sure those faked browser error pages won't be at all confusing, visiting the page in Chrome displays a fake Safari error page (unsurprising as the user agent is for some odd reason Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.196.2 Safari/532.0).
This seems to only affect lookups for queries prefixed with www. For example, a lookup of blerght.com returns nx, while www.blerght.com returns 67.63.55.2. There may well be other subdomain queries that it also hijacks.
DNS is recursive, right? Starting with the TLD servers, then downwards. Someone upstream of Bell is returning a 'domain not found' and Bell is intercepting that and modifying it.
I understand that you're using Bell's local DNS servers to start the search, but the effect is the same as them intercepting and modifying your communications.
ISPs doing this kind of crap should get sued under whatever law most closely applies.
where's that perl script that queries random domains to break the ISP's DNS cache?
-- I was raised on the command line, bitch
DNS doctoring is bad for many reason.
Just because a domain exists doesn't mean it's the one you wanted. Think of all those properly registered phishing sites out there, just waiting for a user typo. What's the difference between them and a DNS search redirect? If anything, this highlights the broken behavior of using the (non-)existence of a domain name for anything useful. You really care about whether you got the RIGHT site, not just *a* site.
Oh, I see... so then Bell can decide for me whether I'm about to see the "right" site? Yeah, that WOULD be helpful. Thankfully it will be easy to agree on what's the "right" and "wrong" sites. No problem there.
[/sarcasm]
I only post comments when someone on the internet is wrong.
And everyone wins: a version of BIND that allows an overlay of master records based on secondary queries. You look something up, the authoritative query goes out to the replacements, the fallback position is the root nameservers.
Then, you can participate in OpenDNS or OpenNIC or whatever you want, *and* participate in the base DNS network as well. Plus, if you ever decide someone is being naughty, you can just overlay them with a whiteout (and you get rid of every domain-squatter-searcher you want to get rid of,) or you can simply override domain squatters with the original rightful owner.
Plus, the extortion money you currently pay? You can get rid of it basically for free. Set up a domain in the overlay instead.
NXDOMAIN spoofing/redirection is inexcusable, but "resolver failover on NXDOMAIN" behavior is broken too. Cisco once again proves that it is clueless about the fundamentals of DNS (any of their customers with the GSS product already knows this of course).
The opt-out is a true opt-out. You enter a list of IP addresses to opt-out on your account screen, and from there it gives you real NXDOMAIN responses (and it even works with filtering).
They're reselling InfoSpace. Click on this link to demonstrate.
InfoSpace claims to be passing search queries to Google, Yahoo, Bing, Ask, and Twitter, then combining the results. I'm surprised they can do that. Google, Yahoo, and Bing all prohibit that in their terms of service. (With Google, you're only allowed to use Google's display format, expressed in their AJAX API, but you can add additional info. Google doesn't allow reordering or combining their results. Yahoo is more flexible; you can reorder, reformat, and, subject to some restrictions, add ads. Bing allows reordering and combining for Web searches, but not other types of searches.)
Better Headlines:
"Bell Is Hijacking NX Domain Queries"
Does Bell "startS" hijacking on a daily basis or all the time? Tony Hawk skateS every day.
"Bell Hijacking NX Domain Queries"
Brevity is wit.
Hit the reply button to make excuses and apologies.
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
I use Bell, and I noticed the hijacking maybe a week back. Even thought of submitting a story to /.
But then it magically disappeared later on (next day?). Hasn't come back since, and before posting, i made sure that I was receiving NXDOMAIN's and not Bell's specially crafted "Domain not found" for opera: [eon@enthalpy:~]$ host fadfad.ca Host fadfad.ca not found: 3(NXDOMAIN) [eon@enthalpy:~]$
So, did they change their policy, or am I the only one mysteriously not affected by this?
I would imagine that their use of the Apple-designed Safari logo (it is stored on their server at http://assist.infospace.com.edgesuite.net/bellassist/pics/compass.png) is an infringing use of Apple's intellectual property, especially if it is designed to appear as though Safari itself generated the message and cause confusion as to the source of the message.
Get Apple legal's hounds on Bell and see what happens.
Yes, openDNS does do this. There's a couple of ways to get around the NXDOMAIN hijacking. First, you could use another DNS server. For a list of good, free, DNS servers, I use the vivilProject. They have a bunch of scripts which can determine the fastest DNS servers for your location. http://80.247.230.136/dns.htm The other option is to run your own BIND server and configure it to cache only. For most of you Linux guys out there, major distros will provide a package to do this. This option not only gets around the NXDOMAIN garbage, but it also gives you faster DNS resolution on your local network.
Yes, I understand how you get DNS servers through DHCP. If it's only Bell choosing how their own DNS servers respond, then it doesn't seem like much of a problem.
However, the summary talks about "hijacking" DNS queries. The summary is pretty light on details, and it doesn't link to other articles, so I'm not sure what it means by "hijacking", but I was guessing from the wording and tone of the article that they were intercepting DNS queries to other DNS servers. If that's not the case, then personally I find the summary misleading. But maybe I'm just wrong.
Even without your VPN client doing that it'll break things because many applications don't make any subsequent DNS lookups as soon as they've had one successful one - or if they do it doesn't happen for some time.
So if your end-user connects to the VPN after starting the application rather than before, the application will need to be restarted. And this is before we even think about things like operating systems caching DNS entries.
Sorry, I'm new here and relatively inexperienced in the whole area of DNS-network-domain malarkey..
Their DNS does indeed return the proper NXDOMAIN responses if you a) sign up for an account, b) register your IP with them, and c) disable all the "advanced" features they offer. Set it to be basic no-frills DNS and that's indeed what you get with them.
So yes, their opt-out for that sort of thing, while a bit of a pain, does work properly. But considering that their entire service is opt-in to begin with, there's not a lot to complain about on that score.
For people with dynamic IPs, they offer software to run that pings them every so often to update your IP and make you stay opted out. Actually, they use that because you can create "templates" of settings to apply to different networks you use and such.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
That is unlikely. I think it would require deep packet inspection to work.
You can't just redirect the DNS ports to another server? You may be right. I just wouldn't expect it to be all that complicated.
Oh, I see... so then Bell can decide for me whether I'm about to see the "right" site?
I'm confused. I don't recall even implying such a thing. I likened Bell to phishers... how can that be an endorsement of their results?
In the event that I was unclear, let me say it more explicitly: when you use user input to do a DNS lookup you can't trust the results. There's typos and typosquatters. So whether or not the DNS server returns the proper error message or resolves to a site is *meaningless* for any piece of software to rely on.
Just like a server that inherently trusts the client is broken, so is any software that makes assumptions about a remote site just because it exists.
How much good does that do you on a domestic DHCP-allocated address?
If memory serves they have a notification mechanism you can set up to update your account with your current IP address.
It seems like a good time to re-pimp my dnsfix utility that undoes the effects of their NS response mangling. I wrote six years ago when VeriSign tried to pull the exact same NX proxying bullshit with its SiteFinder "service".
3.243F6A8885A308D313
dnsmasq supports specifying bogus NX domains, and rewriting/fixing them.
Or install your own DNS server.
I don't see any definition of this "cookie" in the DNS RFCs. I don't see it in the SMTP RFCs, or Telnet, or FTP, or SNMP, or SSH, or in fact any Internet protocol except for HTTP. And I hate to have to tell Bell Canada this, but the majority of the Internet does not use HTTP for name resolution. It uses DNS, and interprets DNS responses including NXDOMAIN. So if they're going to implement an opt-out solution for DNS, it needs to work with DNS clients and not just with HTTP clients. Otherwise, they need to abandon DNS redirection and begin doing transparent proxying of HTTP instead.
Oh, and before you say "But everything uses the Web now!", riddle me this: what transport protocol does World of Warcraft use to communicate between the game and Blizzard? What protocol does Everquest use? Hint: it's not HTTP. Do you want to claim that World of Warcraft and Everquest have a negligible number of players?
And what about when I want to visit the phising site to take sceenshots to show my users the signs that they're on a phishing site? Or what about when I really do want to visit goolgled instead of google?
Nah, I'd much prefer the computer keep what it "thinks" I meant to type to itself. As a group I thought we already realized from Microsoft's Clippy that the computer changing around what you do is annoying. Heck my cell phone still does this and it's one of the most annoying things in existence. I type a makeshift abbreviation for a word and half the time it replaces that with what it thinks I meant. The whole concept is broken.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
Yes, you!
Report their fake error page: Help -> Report Web Forgery in Firefox, probably in the same place in other browsers.
Bell fucks with DNS, Rogers hijacks web traffic to insert little messages about your bandwidth usage. Those two are just bad netizens all around.
The simplest solution to Bell's DNS mongling is to not use their DNS. If you can't set up your own recursive DNS server (bind), well try to find an open DNS you can mooch off of. Maybe Bell's corporate side doesn't do this kind of bullshit, just a guess...
-Billco, Fnarg.com
I'm on a Bell DSL connection. I am unable to reproduce this problem.
;; QUESTION SECTION:
;bing.honk-honk.qc.ca. IN A
;; AUTHORITY SECTION:
ca. 3600 IN SOA jbq01.tor.cira.ca. admin-dns.cira.ca. 2009080414 1800 900 604800 3600
;; Query time: 56 msec
;; SERVER: 206.47.244.78#53(206.47.244.78)
;; WHEN: Tue Aug 4 14:16:41 2009
;; MSG SIZE rcvd: 99
You are right, if you are on Bell and you use dig with a different DNS server all is well. But if they really wanted to be jerks they could do what that fellow you responded to was afraid of with out deep packet inspection for 99.9% of those that just hard code some sane DNS server IPs. They already have a firewall, now they just redirect everything to port 53 to another spigot connected to one of their many evil DNS servers. There is no need to rewrite any frames or anything of that sort. That server can even be Windows since everything supports SOCK_RAW which is just one way to not have to worry about correct IPs. It just replies to all ARPs, hey that's me, and returns bogus IPs when NXDOMAIN should have instead.
On reputable sites, they are.
Bell is clearly anything but.
Would it be better if it said Bell starts DNS Fraud?
This is not the funny you're looking for.
For goodness' sake stop using localhost to blackhole things!
I'm quite certain that applies to only those people that use Bell's DNS servers. I switched immediately to a public/free DNS service, and I no longer get my NX responses hijacked.
Type "http://www.domainnotfound.ca/" in IE 8 - you get "Internet Explorer cannot display this page."
Type "http://www.domainnotfound.ca/" in FF - you get directed to http://www.domainnotfound.cawww.domainnotfound.ca/ (yes, doubled name, it's not a typo from me)
Go to "http://www.domainnotfound.ca/clickserver/". The "back" link is broken and doesn't work (without looking, I assume it's a javascript:back()).
One word: pathetic.
--You can do this with the Squid proxy cache as well, pretty easy to set up in the config file.
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
I just registered it. :)
Frog
--Well, now you know one. ;-)
--I use 4.2.2.x almost exclusively after dealing with horrible ISP DNS servers. Internet access is nice and fast now. Slowdowns, having to bounce the modem, etc are pretty much nonexistent now. And I never have to worry about "ganking" DNS situations like multiple other providers have pulled.
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
This is old news.
how is babby formed?
Because, you know, the only thing that relies on DNS is users browsing web pages.
It's not like you can use their DNS anyways. That's the first thing their techs tell you when you get them on the phone, to switch. Also, when you finally get sick of their lousy service and switch, they hold your line hostage for 30 days and inflict an extra month of embarrassingly bad DSL service on you as punishment. Bell has become a sad joke.
I've made the point before, but it's worth pointing out again that this is just typosquatting on a massive scale.
.COM domain names that are one character misspellings of any Alexa top 100,000 site you enter. It also displays screenshots of those typosquatting sites. It's a nifty way to get a quick idea of the rampant growth of typosquatting. Here's an example that shows the 425 registered .COM domain names that are one character away from google.com.
Many people don't realize that there's TONS of traffic going to typo domains (whether registered or not). For instance, youtuve.com (notice the v instead of the b) got 347,852 visitors over the last 31 days. It redirects to another domain for cloaking purposes, but here is the traffic report. This level of traffic provides the financial incentive to implement these DNS schemes.
By the way, there's a new, free typosquatting scan tool at aliasencore.com. It shows you all the registered
Full disclosure: I am Graham MacRobie, the CEO of Alias Encore, Inc. We help companies recover cybersquatting domain names, but we focus solely on "slam-dunk" typosquatting cases (obviously only registered domain names). I can speak from personal experience in this field that the very last thing we need is wholesale typosquatting at the DNS level. Bell Canada should turn this "feature" off immediately.
Oh, then I did misunderstand. I probably wouldn't have used the word "hijack" to describe Bell's servers giving an improper response to a DNS query, unless that query was actually directed elsewhere. But maybe that's just me.
. So whether or not the DNS server returns the proper error message or resolves to a site is *meaningless* for any piece of software to rely on.
Just like a server that inherently trusts the client is broken, so is any software that makes assumptions about a remote site just because it exists.
Knowing whether a site exists can still provide useful information for a wide variety of uses. Nobody is using the existence of a server as a form of authentication, okay? We have other mechanisms for verifying the identity of a site, when such identification is important. As the simplest example of how this screws things up, having a valid NX response versus a made up lie of a response will make the difference between an app failing immediately because the NX response says the server doesn't exist, versus waiting and eventually timing out trying to connect to a server that doesn't exist, but the app doesn't know it's because the server is slow, or the service is down, or the packet filter rules are eating your packets.
Just because you don't know or understand how this breaks things doesn't mean it isn't broken.
The behavior of identifying typosquatters and directing the user to the site they intended is properly implemented in the web browser. Not by fucking up one of the fundamental protocols of the internet. The web isn't the internet. And this behavior is broken even for the web.
The enemies of Democracy are
This change breaks the URL completion feature in Safari where if you type "cnn", Safari automatically displays "cnn.com". If you type a URL that is in your browser history, then of course Safari will auto complete it before submitting the http request, but if it's a domain you haven't visited before, you now get the useless Bell page instead of the page you really wanted. Does Bell just use Internet Explorer? If they were Mac users, they wouldn't have done this.
There's no forgery. You are connecting to their server just as you intended to and it is giving exactly the response they configured it go give. However, that response is not the one specified by the RFC.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
But that isn't news at all. They always sucked.
Anything can be found funny, from a certain point of view.
Man, do I ever hate Rogers. But I especially hate Bell. But *especially* Rogers.
Free the Quark 3 from asymptotic confinement! Bring your charm! Don't get down! All colours and flavours welcome!
OK, after reading the article summary, everything linked from there, and all of the comments, it's still not clear to me whether Bell Canada is: a) replacing NXDOMAIN within their own DNS resolvers with address records pointing to the "helpful" web page or b) mangling packets so that any NXDOMAIN response from any nameserver to any client on its network gets its contents replaced with the "helpful" crap.
(a) is relatively easy to deal with, by setting your resolvers to "trusted" ones (perhaps a local caching server running on your own network), instead of the spoofy ones provided by Bell Canada
(b) is much harder to deal with, you'd probably have to either have multiple Internet connections, or to set up an encrypted tunnel through Bell Canada's network to the "trusted" resolvers.
Can anyone confirm/clarify exactly which form of "DNS hijacking" Bell Canada is allegedly perpetrating? "DNS hijacking" by itself is such an imprecise term...
Bell Canada's engineers should read draft-livingood-dns-redirect-00 which if nothing else explains how bad their implementation is.
While there isn't consensus on where to go with this draft. The is consensus that cookies don't work and that NXDOMAIN rewrites are different in nature to the other forms of redirect in draft-livingood-dns-redirect-00 and should be treated as a separate issue to the other forms of redirect.
This is being discussed in the dnsop working group.
btw, if you are a current Bell customer don't even try calling their tech support to complain or ask how to opt out. I just did and the tech support had no idea what a NX Domain Query was, nor did the Supervisor I was transferred to. I even used small words to explain what Bell was doing and they claimed they had no idea what I was talking about. Go figure.
Just got an e-mail from Comcast that it is currently implementing the exact same thing. Here is the email: "Dear Comcast High-Speed Internet Customer , At Comcast, we're constantly looking to deliver the best online and search experience. That's why we're introducing a new feature called 'Domain Helper' to help you find the sites you want when you mistype a Web site address in your Web browser. You'll notice this service if you mistype a Web site address, for example "http://www.comtcas.com" instead of "http://www.comcast.com." Instead of receiving an error page that the Web site does not exist, this new service will provide you with a Web page of suggestions and links to get you back on track quickly and help you find what you need faster. We also understand that sometimes customers want to surf their own way, without the assistance of Domain Helper, so we also offer an easy way to opt-out when you receive the suggestion Web page. You can also opt out by visiting the opt-out page now. We hope you find this to be a valuable tool to help you surf the web even faster. Sincerely, Comcast"
Just to add an example that might make more sense to people, checking whether the originating domain has a DNS entry is one of the easiest and simplest ways to filter spam, and will probably catch 75-80% of it. By having a DNS server that hijacks the response and sends a false answer, they are breaking that method of spam filtering, which causes an awful lot of unneeded processor time on mail that wouldn't have gotten onto the server in the first place, which in turn slows things down for the legitimate mail getting through.
While it's not quite so important to somebody who's on a home connection, it is an example that might be more tangible to the casual reader, and which might make it easier for them to understand why DNS hijacking is a bad thing.
If you believe everything you read, you'd better not read. - Japanese proverb
Perhaps they should be required to pay an appropriate registrar for each domain they simulate....call it a rental fee, the same as the purchase price, good for 1 response, non-refundable.
No, not exactly. If i own domain thisismydomain.net and i have two hosts, www and ftp, and that's ALL that i have defined, anyone who enters wwww.thisismydomain.net or sftp.thisismydomain.net will get redirected, even though the domain (thisismydomain.net) does exist. The solution is a wildcard dns record so i end up with
www 135.84.0.1
ftp 135.84.10.30
* www.thisismydomain.net
All names other than www and ftp will resolve to my www server, but without it, they get hijacked and an internet user might just think that my site had gone offline.
One way to attack this: copyright infringement. This image that they serve up to Safari users is, according to Photoshop, identical to file:///Applications/Safari.app/Contents/Resources/compass.icns which is surely copyrighted by Apple. This won't necessarily shut them down but it would draw some attention and maybe hurt them financially a bit.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
How would YOU implement "figure out if this is an internal or external host"? Without querying both name servers, and seeing which one returns a valid result.
Oh, and the internal one usually DOES return valid results for external hosts too, as it's the one people use to surf at work.
Well, where I work we disable split-tunnel in our VPN client. As inconvenient as that is, it's the best thing to do from a security standpoint anyway.
If split-tunneling were on, I'd provide a view in our DNS infrastructure to those VPN clients, which can resolve the internal versions of domains which are owned by us and used both internally and externally, and Internet resolution of names in external domains. The internal domains also contain the external entries so that the VPN clients (and anything else, for that matter) can resolve external names in the domain(s), regardless of which version of the domain(s) they use. In our case, we don't use NAT between our internal network and the Internet (everything goes through application-level proxies or gateways); if we had a NAT requirement, I might have to re-think that architecture. NAT is evil, though, with respect to far more than just DNS, and I hope we can avoid it.
Their cookie-based fix is offensively lame - not only does the typical implementation of DNS hijacking only "help" queries to http port 80 and maybe https port 443, while breaking other protocols, their opt-out "fix" only fixes connections to those ports from cookie-supporting browsers, not from the applications for other protocols. Comcast's opt-out uses MAC addresses, so at least you can opt out for everything, not just only opt out from the least broken services.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks