Slashdot Mirror

← Back to Stories (view on slashdot.org)

Comcast the Latest ISP To Try DNS Hijacking

Posted by timothy on from the c'mon-fellas dept.

A semi-anonymous reader writes "In the latest blow to DNS neutrality, Comcast is starting to redirect users to an ad-laden holding page when they try to connect to nonexistent domains. I have just received an email from them to that effect, tried it, and lo and behold, indeed there is the ugly DNS hijack page. The good news is that the opt-out is a more sensible registration based on cable modem MAC, rather than the deplorable 'cookie method' we just saw from Bell Canada. All you Comcast customers and friends of Comcast customers who want to get out of this, go here to opt out. Is there anything that can be done to stop (and reverse) this DNS breakage trend that the ISPs seem to be latching onto lately? Maybe the latest net neutrality bill will help." Update: 08/05 20:03 GMT by T : Here's a page from Comcast with (scant) details on the web-jacking program, which says that yesterday marked the national rollout.

5 of 352 comments (clear)

  1. Re:Serious question by HeronBlademaster · · Score: 5, Informative

    You're IT for a business. You have employees who check their e-mail from home, accessing your stuff via a split tunnel VPN.

    The computer tries to resolve internalmail.company.com, and normally this should fail, causing the computer to try the VPN's DNS server.

    Instead, your employee's computer gets Comcast's search page server. Their mail client times out.

    You get inundated with tech support calls.

  2. fucking idiots.....at least I have BIND by Indy1 · · Score: 5, Informative

    I've always used a linux box as my firewall /router box at home, and I've been running BIND as a caching DNS server. Fortunately this won't affect me, as I totally bypass spamcast's bullshit.

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!
  3. Re:Serious question by Anonymous Coward · · Score: 5, Informative

    It's a split tunnel VPN...

    That means first it tries to use the internet, then it tries the VPN. If I lookup foo.bar, and foo.bar doesn't resolve, it then tries on the VPN's DNS. That helps keep external traffic off the VPN. Internal traffic is still safe.

    Of course, if foo.bar instead of not resolving--points to comcast--then I never do the lookup...and the VPN ...is broken.

  4. Re:Serious question by Daniel_Staal · · Score: 5, Informative

    The name of the box is, of course, irrelevant. But you still have it wrong: Comcast's DNS server isn't affecting the company's internal DNS server, it is affecting their customer's box, who is your employee, making it so that they never query your internal DNS server.

    This happens precisely because they don't know anything about the internal network, and yet they are telling your employee they do.

    --
    'Sensible' is a curse word.
  5. Re:Treewalk or OpenDNS by Sir_Lewk · · Score: 5, Informative

    HOLY FUCKING SHIT

    STOP SUGGESTING OPENDNS, THEY DO THIS SHIT TOO.

    Excuse my while I go blow a bloodvessel. Every single time a story like this comes up some idiot suggests OpenDNS and idiot mods initially mod them up.

    I'd link where this happened last time but for the life of me I can't figure out how to view more than my several dozen posts.

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)