Slashdot Mirror
Comcast the Latest ISP To Try DNS Hijacking
A semi-anonymous reader writes "In the latest blow to DNS neutrality, Comcast is starting to redirect users to an ad-laden holding page when they try to connect to nonexistent domains. I have just received an email from them to that effect, tried it, and lo and behold, indeed there is the ugly DNS hijack page. The good news is that the opt-out is a more sensible registration based on cable modem MAC, rather than the deplorable 'cookie method' we just saw from Bell Canada. All you Comcast customers and friends of Comcast customers who want to get out of this, go here to opt out. Is there anything that can be done to stop (and reverse) this DNS breakage trend that the ISPs seem to be latching onto lately? Maybe the latest net neutrality bill will help." Update: 08/05 20:03 GMT by T : Here's a page from Comcast with (scant) details on the web-jacking program, which says that yesterday marked the national rollout.
I'm not an expert on DNS. Can someone explain to me, as simply as possible, why this is a bad thing? I understand that it's a pain to be redirected to some random ad-laden piss-poor search page, but what will this break?
This is not a troll or flamebait, I genuinely want some education.
All intents and purposes. Not intensive purposes.
How convenient.
I officially advocate the use of Treewalk and OpenDNS for all Comcast subscribers such as myself. Because after all, if I don't use their DNS, why should I care where they are directing non-existant domain traffic to?
"Be prepared, son. That's my motto. Be prepared." --Joe Hallenbeck
Is it just me or was this story on slashdot like three weeks ago? And I complained then? And we all opted out?
Does anyone have a pointer to clear instructions for setting up a caching nameserver on various platforms and configuring those platforms to use it?
Computer Science is all about trying to find the right wrench to bang in the right screw. -T.Cumbo?
I noticed this yesterday, and they only seem to hijack www.example.com, and not example.com or ftp.example.com.
Still a pain in the ass, and I'm in the process of opting-out. The opt-out is pretty easy, and I've also sent an email to comcast regarding this.
Hosting and Domain name coupons
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6
At least this story doesn't have OpenDNS in the "from the X department" this time.
OpenDNS does exactly the same thing, so you might as well stick with your comcast servers.
I've always used a linux box as my firewall /router box at home, and I've been running BIND as a caching DNS server. Fortunately this won't affect me, as I totally bypass spamcast's bullshit.
Lawyers, MBA's, RIAA? A jedi fears not these things!
No new legislation is needed. Just get the courts involved. Let content providers sue the heck out of Comcast for making a dime off of abusing their domain names. The ISPs think that Google, etc. are "using their pipes to make money," well this is using the content provider's domain and brand to make money. Technical details aside, the effect on the relationship between the content provider and their users is the same whether it is literally hijacking control over the subdomains or creating the perception to user that that is happening. No matter what Comcast may claim, they are altering the relationship between the domain holders and their users.
Huh, the link keeps going to something about net neutering. Oh well.
Does anyone know which method they're using to intercept the DNS? There was an article on here a few months back about them redirecting all port 53 traffic to their servers ('testing in a small market' or something). Other cases usually just configure the nameservers issued via DHCP to respond for NX records with their A for search pages.
I ask because if they're redirecting all port 53 traffic, using your own servers (or anyone else's) won't do you much good. Also, it's legality is questionable.
So if you are trying to pen test some machines you own and Comcast points you to their server who is to blame? Are you really responsible if Comcast hijacks your DNS requests and sends you to their server?
I was testing against a known invalid DNS entry (ie: personally owned but not parked domain name). How are you responsible when they hijack your connection?
Even better is when someone pwns Comcast's server and and exploits all of Comcast's customers with a browser exploit hosted there.
DNS is supposed to tell you (essentially) "no such domain name registered" when you try to find a domain name.
IFF (e.g. if and only if) DNS _only_ serviced web browsers, then one noise-page (my adverts here) is no different than any other noise page (no such name) because a human is going to go "oh, that's not what I was looking for".
But there is a heck of a lot more going on out here in the internet than just web browsing, and significant portions of it hinge on getting true and correct answers from the DNS system.
With DNS boned-up to return false positives on all names, then money can be stolen from you, the causal web browser. For instance, I send you an email from support@bankofamercia.com; you don't notice the transposition of letters, your spam filter looks up bankofamercia.com and the DNS service return as IP address instead of no such address, that address is the same one as I spoofed in the email, the spam filter says its a good email, you get owned.
Okay, that _is_ contrived, so try this instead...
It's 1964. You are at a pay phone. Your car has broken down. It's your last dime. You call home, but mis-dial a number that doesn't exist and you get a busy signal, and you get your dime back. You call home again and get help. The system worked.
It's 1964. You are at a pay phone. Your car is broken down. It's your last dime. You call home, but mis-dial a number that doesn't exist and some random person answers and proceeds to try to sell you car wax. Your dime is gone. You are still stuck. The system has failed.
Imagine your life if you _never_ got a busy signal. You call any extension in any company and you get to leave a voice mail but nobody will ever get that message. It would be living hell.
Worse yet, you run a small company, you may a small number of sales each month that are vital to your companies survival. You invest in an expensive advertisement on the superbowl and everything goes great. Then your DNS server dies. Now there is nobody to answer the proper DNS queries. The DNS squatter wakes up and since mylittlecompany.com no longer resolves, all that traffic goes to the Comcast Advertisement Shill page. In just a few minutes you get your DNS server working again, but everyone who got the bogus page thinks your company is trying to sell comcast telephone service and web search services and you never go that business. You are out big cash and your name is ruined. IF the spamvertisement page hadn't been there, those people might instead be thinking "wow, this service is so popular I cannot get in, maybe I'll try back in a bit" instead of "why did comcast decide to take out a superbowl ad that made it look like they sold that interesting little product?"
In short, what if every time your cell phone couldn't be found (because it was off or the battery died etc) the people trying to call you got silently redirected to a random "service" of the type one sees on late night television, offering jokes or sex chat, ostensibly in your good name?
That's what is wrong with doing that.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Simply run bind9 on your system. Comcast will not stop you.
I prefer the "u" in honour as it seems to be missing these days.
I only have a basic understanding of DNS but the last time I saw this the non-existing domain would always resolve to some address.
When I got this email from Comcast last night, I typed a non-existing domain into my browser and it brought up a Comcast page. However, when I tried to ping the same domain it came back as a non-existent domain.
At least Comcast got the opt-out implementation right. It's done by the cable modem's MAC address, which means that all DNS lookup traffic will start getting NXDOMAIN queries. Oddly, their instructions indicate that this only takes effect when your modem does its next DHCP client lease. My guess is they've blocked off a range of IPs as "opt out," and just assign your MAC to get a lease from the out out range.
I'd greatly prefer it if Comcast had just left things alone, of course; at least, though, they didn't fall into the old "The Web is the Internet" fallacy like Bell Canada.
http://tools.ietf.org/html/draft-livingood-dns-redirect-00
note where author works.
I just looked at my cablemodem and it has 4 MAC addresses associated with it:
HFC MAC Address
Ethernet MAC Address (probably not?!)
CM USB MAC Address
CPE USB MAC Address
I suspect that it is the first?
No sense entering it until I know if it makes a difference or just allows the scam to go on.
Thanks!
Your example fails because internalmail.company.com will resolve through company.com, not dnsshill.comcast.com. That is "company.com" is authoritative for "internalmail.company.com" in the hierarchical name service system. The questions of what happens in this case is questionable. Especially since in your split tunnel you probably have prepended company.com's internal DNS resolvers in the name search space so that the VPN user sees the internal sites in preference to the external ones.
Your point is correct, your example is flawed.
IMHO, of course 8-)
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
I had to jump through hoops to get the hijacking removed from FIOS. There's no way an average user would be able to do it. Verizon's instructions weren't even even accurate, I had to Google to get the right directions that were put up by some bloggers. I'm sure it was all Verizon's intention to keep the direction so cryptic and flat out wrong. Fuck the phone and cable companies and the fuckwad senators and congresspeople that let these sleazebags get away with this shit. I'm so fucking tired of having everything be a battle all the fucking time with these "services". What the fuck ever happened to competition in the US? There's like only 3 companies for any industry. Too big to fail my ass.
They've got about 3 million subscribers in the NY metro area (CT, NJ and NY excluding Manhattan). They just started doing this a couple of months ago. I noticed it when my DNS queries started failing completely. Seems I had changed my DNS servers to ones not owned by Optimum (aka Cablevision) because of speed issues, and with their most recent change they're also blocking DNS queries directed to servers other than their own.
Don't look for the latest net neutrality bill to fix this. All that is is the ISPs making the bag of bribes bigger until the greed of Congress can no longer resist.
"The good news is that the opt-out is a more sensible registration based on cable modem MAC"
It's better than cookies, yes, but it is still broken. Is it *so* difficult for them to require people to opt-*in* to get this nonsense? If I'm paying for DNS services, why is it unreasonable to expect them to be correctly implemented to standards, rather than hijacked? At the very least, where's my cut? Can I get a reduction in fees for putting up with a reduced/defective service?
Your opt-out request has been confirmed. We will complete processing of this request within 2 business days.
I wonder if /.ing the Comcast request page makes it take longer. ;-)
If you have about ten minutes be sure to give them a call. Explain to them that they're breaking basic internet functionality, the very service you're paying for.
No ISP should ever supply bogus dns info for domains they don't own.
There shouldn't be any hijack page, simple as that.
And yes, you can register an account for OpenDNS. But why would anybody here be advocating standards-breaking, overcomplicated, web-based nonsense?
There is nothing wrong with Treewalk, which is why I didn't mention it.
http://yro.slashdot.org/article.pl?sid=09/07/09/1811249
Attention deficit disorder is a complicated issue, spanning several major... HEY LET'S GO RIDE BIKES!
My ISP Cox did this and to opt out of it all you had to do was change your DNS server to another one that they provided. In my opinion this is much better than cookies and router MAC addresses because you can do it on a computer by computer basis.
Worked fine, I get the proper NXDOMAIN response. No goofy fake 'domain not found' page, like bellca.
WTF?!? Yesterday I was getting NXDOMAIN correctly, today I'm back on to their crappy search page! Dammit, I opted out when they first announced this! Comcast, you bastards!
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
The funny thing is that Monday morning I saw Comcast's executive vice president on CSPAN-2 saying that they fully supported the principle of net neutrality.
SJW: Someone who has run out of real oppression, and has to fake it.
Comcast's version is an order of magnitude better than everybody else's.
a: There is a REAL opt-out, that puts your DHCP lease to point to a DNS resolver that doesn't do this. I'll have to do this when I get home. Compare this with, eg, Verizon's pitiful opt-out instructions involving manually changing DNS settings.
b: IF you had manually set your DNS resolver to a Comcast server, you are unaffected (they added new resolver addresses to do this), per previous discussions by the Comcast folks over at Broadband Reports.
c: It does NOT get *.whatever, only www.*.(TLD), thus even when you don't opt out, it is at least limited to web-related typos. This is actually a big deal, as I think Comcast is the first one NOT to do it for everything.
I don't like NXDOMAIN wildcarding (it was one of the motivations behind building the ICSI Netalyzr), but if an ISP is going to do it, Comcast's is actually well constructed to both limit collateral damage (it only gets www.*) and be able to be bypassed with a real opt-out.
Test your net with Netalyzr
Yea, unless you accidentally missed. Then you probably would end up hitting one of the advertisers instead.
Wait... That idea has merit.
Someone with a large botnet should leech the hell out of non-existent domains via http, on all infected machines that are online via Comcast or Bell.
WTF, this is old news! There's even a link to the month-old story in the "related stories" box below the summary. Why is Slashdot posting a freakout story that makes it sound like it just came out of nowhere all of a sudden?
Arguing about vi versus Emacs is like arguing whether it's better to make fire by rubbing sticks or banging rocks.
Are they only jacking folks that use their DNS servers, or all DNS Requests from their network?
God, Root, Whats the difference?
Qwest (DSL) is doing this too. I knew there was something about it that annoyed me, but I hadn't given it much thought until now, when I can totally see why this is a BAD THING.
Absurdity: A statement or belief manifestly inconsistent with one's own opinion. -- Ambrose Bierce
I got my internet access through roadrunner (time warner cable) and this dns redirection is also used there. For the record, I found that annoying but not critical (however, I understand people may really be unhappy with that)
I am so fucking glad Cockcast pulled out of my city years ago.
Used Time Wanker for about a year after Cockcast pulled out; they sucked even more than Cockcast, so I eventually switched to AT&T U-verse. Been using U-verse for two years now, and I've had none of the problems with it I've had with Cockcast and Time Wanker.
Who is comcast rolling the change out for and is it in all markets yet? I have a business class account at home, and I am not seeing any symptoms yet. So I'm wondering if there are more details if this only will effect residential customers or what and to what extent exactly?
Charter Communications does this as well.
IIRC, a few years ago, this was attempted at a lower level and reversed.
I use Comcast and I can verify it is the lamest form of the interwebs out there; but I at least use opendns, to avoid their terrible slow and now ad filled dns servers.
Math
Is there a way to opt out a domain from this type of redirection? It seems that feature would solve the problem.
I just looked at my cablemodem and it has 4 MAC addresses associated with it:
HFC MAC Address
Ethernet MAC Address (probably not?!)
CM USB MAC Address
CPE USB MAC Address
I suspect that it is the first?
No sense entering it until I know if it makes a difference or just allows the scam to go on.
Thanks!
HFC is the one associated in DOCSIS, so 99% sure it's that one. And you're welcome.
The solution to all of this crap seems pretty simple. Modify your local DNS server, the libc resolver, &c., to return NXDOMAIN if the upstream server returns the IP address of one of these ad servers. Perhaps the list could be stored locally, or an up-to-date blacklist of known spam IPs could be published somewhere, similar to the various RBLs out there.
Has anyone written a patch to do just this yet?
Liberty in your lifetime
Well, as other people are repeatedly pointing out to me (including some via e-mail), Comcast is only doing this for domains that begin with "www." right now.
But no, the only way to opt out is all-or-nothing. Which is fine.
Go back to 4chan where you belong, /b/tard, Slashdot is Serious Business.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
c: It does NOT get *.whatever, only www.*.(TLD), thus even when you don't opt out, it is at least limited to web-related typos. This is actually a big deal, as I think Comcast is the first one NOT to do it for everything.
You can run more than just web sites on a www. domain.
Give me Classic Slashdot or give me death!
My God ... Comcast's opt-out page and form have bee Slashdotted ...excellent!
"Keep at least 3-6 full bottles of hard alcohol on hand, a 2 week resignation notice,..." - Poetmatt
Thanks to Slashdot I wasn't at all surprised when I received the "opt out" email, and once I checked to make sure it wasn't some sort of phishing attempt, opted-out of their jacked-up search page crap immediately -- as should everyone else.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
That's like saying your cellmate is better than the others because he uses lube. Factually correct, but still morally repugnant.
The practice is wrong. Plain wrong. It breaks the Internet and as such should be expressly forbidden. (Well, actually, it is forbidden, because it's not returning NXDOMAIN when it should.) Breakage is breakage is breakage, and while it may be useful to understand in detail the different ways in which this breakage occurs, it is not acceptable to finish that analysis by saying, "Well if it must break, then this way is better than the others...."
Crumb's Corollary: Never bring a knife to a bun fight.
"Is there anything that can be done to stop (and reverse) this DNS breakage trend?"
Of course there is. This is really only affecting people who use the ISP's default DNS server. You can choose to set up your own DNS server, which is moderatly complicated for people with no background. Additionally, your computer can be set to use an alternative DNS server such as OpenDNS, bypassing your ISP's DNS server.
One would begin by reconfiguring the modem/router to use a server such as OpenDNS, FoolDNS, or some other server more to your liking.
2nd step (optional) would be to install a server on the gateway machine, then configure that server to query the modem/router when it needs routing data.
3rd step is simply to reconfigure all the machines on the network to query the gateway machine if you chose to set up your own server, or to query the modem/router if you chose not to install a server.
Problem solved.
One side benefit of using OpenDNS or FoolDNS, is that they filter SOME of the malware distribution sites. They can't get them all, and if they did, people might complain, but they filter a lot of the worst.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
This list seems to imply that there is a duplicate set of Comcast DNS servers that work correctly for opt-out service: http://dns.comcast.net/dns-ip-addresses.html Maybe just changing DNS to point to your alternate opt-out server(s) will work. Unless they sometimes decide to change the IP addresses around without notice.
The DNS servers that Comcast passes to the home router and PCs via normal DHCP can take as long as 8 or 9 seconds to resolve, making many web pages unbearably slow to surf. This is intentional PUNISHMENT for not installing their creep-ware on your computer which then switches DNS settings to their faster servers.
Comcast's DNS service is terrible by default, and adding DNS hijacking with a "nice" opt-out process only makes it worse not better.
I can't remember the last time I forgot anything.
COX has been doing this for a while. Although it is not 'ad-laden', it is sponsored by Yahoo and 'suggests' some alternatives. When you mistype a domain name, or just make something up that doesn't exist, COX Cable redirects you to the following page: http://finder.cox.net/
-- I'd give my right arm to be ambidextrous
Yes, but it's poor practice to advertise anything but a webserver through a www.* IP name. If the host is doing something else, it should have another IP name for people accessing that function. Among other things, it makes it much easier to move that function off that machine without touching the webserver. www.* could affect things other than webservers, but it shouldn't, and mostly, it won't. That doesn't make what Comcast is doing *right*, but it does make it slightly less horribly awful. Slightly.
Dnsmasq has an option to "fix" this kind of dns redirection called bogus-nxdomain. The bogus ip address to block is 208.68.139.38. I wonder if comcast uses multiple addresses or will ever change it...
Maybe I'll just switch to using 4.2.2.[1-6] as many other people have mentioned.
In general, you're right. But we're talking about ISPs here. It's their network -- of course they can get it layer 2!
Well, Comcast's network is a massive hodge podge (to put it politely). I'm not even sure the head end I (seem to be) connecting to can get my MAC address from the packet (at least if traceroute is to be believed). There's definitely at least one switch between my neighborhood's segment (in the boondocks of Puget Sound) and the rest of the service area (which goes down with alarming frequency).
Back in Pittsburgh, the architecture was quite different. They purchased the system from AT&T, who purchased it from Times Mirror, etc. Heck, I originally had two separate cable wires coming in to the cable box (switched on a 12V DC signal from the box itself); apparently, TM's switching equipment couldn't handle all the channels they wanted to offer. Not surprisingly, this had to be redone before cable modem service was offered. I had DSL service (from Bell Atlantic) years before cable modems were even offered in the area.
Comcast has opt-out option. https://dns-opt-out.comcast.net/
If I understand correctly, a lack of DNS records for a domain doesn't mean it has no owner. Say I have registered example.com, but not yet given it a nameserver. Most ISP's DNS servers would (correctly) respond to requests for www.example.com with an NXDOMAIN. Comcast, however, would return an A record pointing to their own web server. Essentially, they are ignoring the fact that I have paid for the right to configure the domain as I see fit. Or am I missing something?
c: It does NOT get *.whatever, only www.*.(TLD), thus even when you don't opt out, it is at least limited to web-related typos. This is actually a big deal, as I think Comcast is the first one NOT to do it for everything.
In the quick test I did, the hijack occurred regardless of the "www" prefix being present.
Suppose every time you got in a cab, the driver stopped at each Starbucks along the way and tried to sell you a cup of coffee because Starbucks kicked them back a buck on each sale. Suppose the cab driver even offered you a 50 cent discount. Let's suppose the cab driver was even nice enough to scrupulously stop the meter each time he pulled into a Starbucks parking lot.
Would you be happy about this cab ride?
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
The other side of the coin is the customer experience. Think about the average internet user. They cannot tell the difference between a 404 error and a 504 error.
People often unknowingly mistype URLs and automatically believe that their internet is broken and they need to call their ISP in order to get it working again. My personal experience working tech support for a large ISP is that mistyping domain names is a huge call driver, and this service is meant to address that.
That's the other side, now flame on.
My comments here are my own; I do not speak for my employer.
Comcast's DNS servers are only redirecting non-existent domains that start with www.
It was working on my browser, Firefox, because it looks like it adds www on single level domains. Add another host name or even a pathname and it comes back as non-existent.
Look at the DomainHelperLogic and the only thing it hijacks are DNS lookups that begin with www and end with a valid TLD (.com, a ccTLD like .us, etc.).
While I think this still stinks that they are hijacking DNS at all, and as a Comcast customer I will complain and opt-out, I think they're doing it in a fairly logical way.
But it's not that bad. If you do a DNS lookup for any domain (say for an MX or NS record) you're never going to see this. Your lookups will only be affected if the query starts with www, followed by a domain, ending with a valid TLD (.com, a CC, etc.).
If your internal office uses something such as mycompany.internal, then even a www.mycompany.internal query isn't going to get hijacked since .internal isn't a valid TLD. If you are using mycompany.com for internal use, you should own mycompany.com externally, and negative replies will still work and not get hijacked.
Again, while I oppose monkeying with DNS, this appears to be fairly well thought out and not anywhere near as bad as most other implementations.
The misappropriation is technically bad because it's done at the wrong protocol layer, and even when it works it's bad because it'll cause your browser to do something you didn't want.
Here's how DNS is supposed to work when it works, and how it's supposed to work when the lookup fails.
Now look at what happens if your DNS server lies to your application by giving it some other IP address instead of the correct failure message, like 68.87.60.144.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I suggest that if you're a Comcast customer and when you read this the opt-out page is still down, contact their tech support. Maybe a swell of tech support calls/emails/IMs will convince them how bad of an idea this is.
user John_ has entered room
jOHN(Wed Aug 05 2009 17:45:34 GMT-0500 (CDT))> Ask Comcast Escalation
analyst Lotarion has entered room
Lotarion(Wed Aug 05 2009 17:45:57 GMT-0500 (CDT))> Hello John_, Thank you for contacting Comcast Live Chat Support. My name is Lotarion. Please give me one moment to review your information.
Lotarion(Wed Aug 05 2009 17:45:59 GMT-0500 (CDT))> I am more than willing to assist you today.
Lotarion(Wed Aug 05 2009 17:46:01 GMT-0500 (CDT))> May I know the issue, please?
John_(Wed Aug 05 2009 16:45:51 GMT-0500 (CDT))> Hi, I want to opt-out of the domain redirection, but I can't access the page. The website is: https://dns-opt-out.comcast.net/
Lotarion(Wed Aug 05 2009 17:47:23 GMT-0500 (CDT))> Oh..Let us check on it.
Lotarion(Wed Aug 05 2009 17:47:37 GMT-0500 (CDT))> What is your Operating System John?
John_(Wed Aug 05 2009 16:47:40 GMT-0500 (CDT))> I'm using OpenSUSE 11.1.
Lotarion(Wed Aug 05 2009 17:49:38 GMT-0500 (CDT))> Okay.
Lotarion(Wed Aug 05 2009 17:49:55 GMT-0500 (CDT))> Go back to the issue, you cannot load www.comcast.net ONLY?
John_(Wed Aug 05 2009 16:50:34 GMT-0500 (CDT))> I can load all websites - including www.comcast.net. I can't load the domain redirection opt-out page: https://dns-opt-out.comcast.net/
Lotarion(Wed Aug 05 2009 17:51:59 GMT-0500 (CDT))> Oh..That has already been disabled. I cannot also load that site on my end.
John_(Wed Aug 05 2009 16:52:10 GMT-0500 (CDT))> Oh, okay. Do you know when it will be available again?
Lotarion(Wed Aug 05 2009 17:53:19 GMT-0500 (CDT))> Our engineers are still working on it. Customers will be informed through email.
John_(Wed Aug 05 2009 16:53:14 GMT-0500 (CDT))> Okay, I'll be patient then. Thanks for your help.
Lotarion(Wed Aug 05 2009 17:53:53 GMT-0500 (CDT))> You are most welcome.
Lotarion(Wed Aug 05 2009 17:54:00 GMT-0500 (CDT))> Thank you also for bearing with us.
Lotarion(Wed Aug 05 2009 17:54:02 GMT-0500 (CDT))> Do you have any other concern that I can address to?
John_(Wed Aug 05 2009 16:54:13 GMT-0500 (CDT))> Nope, that was it.
Lotarion(Wed Aug 05 2009 17:54:39 GMT-0500 (CDT))> It has been my pleasure assisting you today.
Lotarion(Wed Aug 05 2009 17:54:40 GMT-0500 (CDT))> Take care always. Have PEACE and goodbye.
Lotarion(Wed Aug 05 2009 17:54:40 GMT-0500 (CDT))> Thank you for bringing Comcast into your home. We are here for you 24 hours a day 365 days a year! To learn more about your services and find answers to many questions, please visit our FAQ pages: http://help.comcast.net/
Lotarion(Wed Aug 05 2009 17:54:41 GMT-0500 (CDT))> smile
Lotarion(Wed Aug 05 2009 17:55:28 GMT-0500 (CDT))> Analyst has closed chat and left the room
analyst Lotarion has left room
Breaking DNS is bad for non-broken apps - it's only going to be worse for broken ones :-) Your PC's DNS resolver should be set up to use your internal DNS servers in preference to your ISP's DNS servers if possible, so if the VPN is routing 10.x.x.x addresses through the tunnel and non-RFC1918 addresses to the public internet, there won't be a problem with it going the wrong way.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Ummmm PRETTY FREAKIN MASSIVE under Trademark law?..
I got the same results. That is: asking for asdrfkjgshklghrfgserg.com got me the stupid Comcast "Maybe you're looking for douchebags in Singapore" page.
Never attribute to malice that which can be explained by mere idiocy.
There's one case where some of the DNS hijacker services aren't purely evil - it's the ones that take queries for known malware sites and redirect them to "you don't really want to go there" pages. That doesn't always do what you want either, but unless you're a security researcher, you probably didn't want any protocols from your machine connecting to malware-infected.example.com, so even a lame protocol-not-equipped failure from DNS-Hijackers.your-ISP.net is better either than a successful or unsuccessful connection to the evil site.
But that doesn't break the protocols as badly, because for the most part it's redirecting queries for sites that _do_ have actual servers on them.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Have you tried using showcase_c01.cm and 4.2.2.1?
This isn't any different from Cyber-Squatting of the late nineties.
In the end it comes down to profiteering from an inidividual's mis-typed URL - which in most cases was rules against, or registering a URL before someone else had. For example: http://www.hollywoodreporter.com/hr/content_display/technology/news/e3idcc910dc3148408da55199c677c17c94
This is no different other than it is a single company profiteering off of *every* mis-typed URL that a user enters. It's essentially ignoring cyber-squatting law as inapplicable to their implementation of an ad-farm.
Congratulations ISPs, you've managed to figure out what people did to earn a quick buck in the late nineties...
Normally I'd agree with you - I've ranted elsewhere in this story about how DNS hijacking breaks all kinds of things, even including the browsers that it's supposed to be "helping". However, there's one case where it can be useful - hijacking queries for known evil sites (malware-infected, phishing targets, etc.) Unlike hijacking queries that should return Not Found sorts of messages, this returns the address of a "you don't want to go there" warning page instead of the address of the usually-actually-existing evil server. So while it's still incorrect behaviour, it's at least not breaking DNS as badly, and it's only breaking it for cases where a non-broken response would have gotten you somewhere bad anyway (unless of course you're a security researcher who _wants_ to talk to evil servers.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Everybody who wants to opt out should call Comcast Customer Service, rant for a minute about how they hate having this done to them, then get detailed instructions leading them through the process -- not just a web page to go to -- and keep the customer service rep on the line until it is completely undone. A few hundred thousand phone calls of people wanting to be led through the process might actually get their attention.
And while you're on the line with them, explain the concept of Opt In in words that any 6th grader can understand.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Here are my tests:
www.blahblahblahblahblah.com
Bogus redirect page.
www.blahblahblahblahblah
NX
blahblahblahblahblah.com
NX
www.blahblahblahblahblah.ner
NX
Eventually all failed non-existant domains that are queried through Comcast's servers, where the query begins with www., will get redirected. They just haven't phased that in, yet: DomainHelperLogic:
We will eventually phase in the following pattern matches to enhance this service in the future:
(1) www.SOME-INVALID-NAME.cmm or
(2) www.SOME-INVALID-NAME
- The entry must include "www" followed by a dot ("www.")
...
As soon as the DNS spec gets its own army it will be able to enforce this kind of thing.
Usually it's opt-in - if you didn't set your computer to use their service, your queries won't go there and they won't lie to you. And if you'd rather have the occasional failure (and aren't running your own email server) in return for getting blocked from known malware sites, go ahead and opt in.
The only time it's opt-out is when your ISP decided to use OpenDNS or one of their competitors to do name resolution instead of doing it correctly - I'd be really annoyed if one of my ISPs did that without asking me.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
And even if your app _is_ the web, the most popular web servers let you pick what search engine to use in case of a NX response, so it's broken even then. Comcast's a little less broken than some hijacking services, since they're only redirecting www.whatever.tld, but who knows how long that'll last as a policy.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
As the parent article had said, you've got no way to predict whether they'll be consistent about the IP addresses they use for their redirect page, and you can't just give your application to everybody with the DNS-hijackers' addresses wired in, because they may have ISPs who use different hijack pages or your ISP could change yours at any time. And then there's the problem of load-balanced redirect servers - the service could round-robin between N different redirect servers (instead of anycasting or hiding the load-balancing behind NAT) so you wouldn't even get a consistent redirect page.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I've had a printout of your draft on my desk for a while, planning to write a good rant in response :-)
The "only redirect www.domain.tld" logic certainly helps reduce the number of applications that'll be broken, though I do still https: to www.domain.tld addresses and sometimes do ssh (usually not, and I almost never email them either.)
But even then it's breaking the behaviour my browser is configured for - I've got Firefox using Google as its search engine, and try to have IE do that as well.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Since the opt-out page is broken and doesn't actually opt you out of anything, you'll have to do it yourself. Here's a list of all Comcast's DNS servers: http://dns.comcast.net/dns-ip-addresses.html
The first two are the "redirecting" servers, and have the Comcast DNS hijacking enabled.
The second two are the correct servers to use, they are running pure DNS without Comcast's bullshit.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Using cookies indicates that they Really Don't Get It - if you're using a browser, hijacking your query is evil but not particularly stupid, while if you're using some other protocol, such as email or ssh or even http/https on some port other than 80, the browser cookie isn't going to tell their broken DNS server or web server anything.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Yup. I've had the document on my desk for a couple of weeks, planning to write a ranting response in my copious spare time. And J. Livingood posted a response somewhere else in this Slashdot comment chain as well.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I've often worried about what nastiness their installer does.
First: A quick look through System Profiler (I'm on a Macintosh running OSX 10.4) seems to
show that my http and https traffic is going through a proxy server (actsvr.comcastonline.com).
Second: post-install, the computer's hostname would be changed to something based on
my IP address, according to my HOST environment variable. Even if that's just some
DHCP voodoo, I'd rather be the one to decide what my computer is called, thank you very much.
So, can any of you folks with better technical knowledge than me investigate the installers?
Any evidence of Sony-style rootkits on either the PC or Mac sides would be better ammo
against the bastards than their current naughtiness.
Now that customers will have to register their MAC address with Comcast does that mean they will have a legitimate argument when saying 'illegal downloading/content/etc' was coming from your MAC address?
The 'MAC addresses aren't reliable identification' argument will be somewhat negated once customers are directly associated with their box's address, right?
to prove my aging geek status I wouldn't have had the pay phone mis-dial returning "a busy signal", I would have said the pay phone returned "denial tone" (which some people used to call "fast busy"). That would have proved that I was both old enough to remember pay phones, _and_ that I was old enough to have become a geek while pay phones were still relevant. 8-)
They still use denial tone, and the three-tone-error who's name I forget... but now days most self described geeks tend not to see the relevance of the wire-line networks, which is sad.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
How about not using your ISP's own DNS servers? Why not use "agnostic" ones?
http://www.opendns.com/
I just don't got em :(
Ralf Weber dns at fl1ger.de
Fri Jun 19 10:21:04 UTC 2009
* Previous message: [dns-operations] will germany therefore make dnssec illegal on their shores?
* Next message: [dns-operations] will germany therefore make dnssec illegal on their shores?
* Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Moin!
On 19.06.2009, at 11:27, Stefan Schmidt wrote:
> On Fri, Jun 19, 2009 at 03:12:10AM +0000, bmanning at vacation.karoshi.com :-(.
> wrote:
>>> http://yro.slashdot.org/story/09/06/16/1657255/A-Black-Day-For-Internet-Freedom-In-Germany
>>> ______________________
>>
>> doubtful that it will be illegal - just ineffective.
>> DE may become a haven for questionable DNS use, esp
>> with this offical sanction to hijack.
There are other countries doing this already. In Europe at least:
- Sweden
- Denmark
- Belgium
- Switzerland
- Italy
so while I signed the petition I still will have to do this
> This is exactly the question i will ask at the "DNSSEC Testbed for
> Germany"
> event 2nd of July in Frankfurt am Main.
> -> http://www.denic.de/en/domains/dnssec/dnssectestbed.html
Well technical I can answer this now, the way DNS is deployed currently
(Clients ask ISP resolver and don't validate) DNSSEC and this
blocking is compatible. But I think it really is a political debate
rather then a technical one. DNS blocking can be a good thing
(Conficker anyone), the problem with this law is that there is no
control of the list, and that there is a IMHO justified fear that
this technique will be used for other blockings (gambling, music).
So long
-Ralf
---
Ralf Weber (Internet Citizen)
e: dns at fl1ger.de
------------------------
that's a pretty strange statement coming from one of the fathers of F***-the-DNS
This seems to me to be a simple case of cybersquatting. If someone went out and registered microsofta.com, then Microsoft could use WIPO to get the domain transferred to them. Thus, simply submit a million or so WIPO arbitration requests for: slashdota.com slashdotb.com slashdotc.com ....
slashdotzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.com
That's like saying "That's the whore with the fewest VD's". It doesn't make it something you want.
My blog. Good stuff (when I remember to update it). Read it.
How did you test?
Type a non www name into the browser's address bar which does automatic www prepending on NXDOMAIN?
Use dig or some other tool to query the DNS directly?
Verizon walks you through the (fairly involved, for a newbie) process of manually changing your DNS settings. They maintain one set of DNS addresses that do hijacking, and one set (the xx.xx.xx.14 addresses) that do not.hijack. It's a one time thing, and it's under your control.
Just a short note, here. I opted out. Thank you for providing the link.
Willie...
According to: http://uptime.netcraft.com/up/graph?site=search3.comcast.com
this "service" is run by Fast Search & Transfer, and you can read about what a great company they are here: http://en.wikipedia.org/wiki/Fast_Search_&_Transfer
Slightly better, but still not much condolence to the guy trying to SSH into his webserver to troubleshoot it when one of the problems-of-the-moment is DNS.
A lot of web browsers when you ask for foo.com, if that fails, will look up www.foo.com
Try checking with netalyzr:
Netalyzr.icsi.berkeley.edu, as that does the lookups directly.
Test your net with Netalyzr
My main question would be: Does Comcast intercept and answer all DNS requests on its wires?
My reason for asking is that I've generally found that it's not a very good idea to use the ISP's nameservers. They never work very well, in my experience. When I've been responsible for such things, I've generally looked for a few good nameservers that are (electronically) nearby, and tell my machines to use them. I usually get faster and more accurate DNS resolution that way.
But if the ISP is looking specifically for any DNS requests, ignoring their destination address, and forging an answer that points to their own machine, then the above strategy won't work.
Yes, forging replies to packets not addressed to you is a nasty thing to do. Comcast has been caught red-handed doing this, e.g. to tell both ends of a P2P connection that the other has closed the connection. So it seems likely that they may be doing the same thing here. But I can't quite tell from what I've read.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
My Optimum Online account at a client's site filters DNS through their webjacking SW, to return a page of spammy ad "suggestions" when your domain query doesn't resolve to a registered name (like when you typo). Which is bad because it violates the DNS spec, in spirit and because apps that expect a DNS error will fail. But what's really bad is that every webpage, each full of domain lookups, takes several extra seconds to load because of their slow filter that tries to find ads even when the domain name is correct.
What can I do to stop this? Is there some free 3rd party DNS server I can point at, instead of the one the cablemodem sets in the LAN's PCs by DHCP? I know how to edit the DHCP file, and set the different DNS server IP# by dhclient commandline, but to which server can I point that file?
And how do I join with others to stop this substantial violation?
--
make install -not war
Just tried a non-existant adress and I'm sadly surprised to inform that UPC in the Netherlands are also doing this.
Luckily, they do offer a reasonable opt-out method by manually using one of their alternative and normally functioning dns servers instead of relying on those granted by dhcp.
http://comcastisfuckingwithyourport53traffic.wordpress.com/
ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
How can you tell that your ISP is not hijacking ALL of your DNS requests? You really think that Comcast cannot redirect your DNS queries to their server?
The browser could show a page with the same information as the DNS hijacker.
You don't fix a broken user interface by breaking network protocols.
If the host is doing something else, it should have another IP name for people accessing that function.
Some small concerns don't want to double-buy SSL certificates, especially when they're priced so collusively and almost nobody sees SMTP headers.
To be fair, CACert is probably fine for those folks' mail traffic too.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
This new "net neutrality" bill won't help, are you freggin nuts!?!?
It'll only allow ISPs/Lobbyists/ to determine at a later date what is and isn't "lawful" content...
Arrgh!!@# Ye land lovers!@#
I was pissed off about this today, too. Fortunately, the Comcast "blog" was actually helpful for once.
If you want it fixed immediately, you can find the non-helper Comcast DNS servers here...
http://dns.comcast.net/dns-ip-addresses.html
I switched it on my router, and it works.
Comcast's version is an order of magnitude better than everybody else's.
a: There is a REAL opt-out, that puts your DHCP lease to point to a DNS resolver that doesn't do this. I'll have to do this when I get home. Compare this with, eg, Verizon's pitiful opt-out instructions involving manually changing DNS settings.
b: IF you had manually set your DNS resolver to a Comcast server, you are unaffected (they added new resolver addresses to do this), per previous discussions by the Comcast folks over at Broadband Reports.
c: It does NOT get *.whatever, only www.*.(TLD), thus even when you don't opt out, it is at least limited to web-related typos. This is actually a big deal, as I think Comcast is the first one NOT to do it for everything.
I don't like NXDOMAIN wildcarding (it was one of the motivations behind building the ICSI Netalyzr), but if an ISP is going to do it, Comcast's is actually well constructed to both limit collateral damage (it only gets www.*) and be able to be bypassed with a real opt-out.
a) That's incorrect, because the opt-out doesn't actually fucking work. I opted out. Got the confirmation back and everything. Rebooted all the network hardware. Result, no change. I had to manually change my DNS server settings, because Comcast flat out refuses to send me the settings that prevent this stuff from fucking up my connection.
b) Yes, if you manually work around their fuck up, then yes, it's manually worked around. No shit.
c) This is a flat-out lie. When I was still being infected by their shit, it was not possible to get an NX response, period. I was unable to confirm any of their www.* lies to be true. It resolved anything and everything to an IP, so if they were trying to do this, then they fucked it up too. Not surprising, really.