Comcast the Latest ISP To Try DNS Hijacking

A semi-anonymous reader writes "In the latest blow to DNS neutrality, Comcast is starting to redirect users to an ad-laden holding page when they try to connect to nonexistent domains. I have just received an email from them to that effect, tried it, and lo and behold, indeed there is the ugly DNS hijack page. The good news is that the opt-out is a more sensible registration based on cable modem MAC, rather than the deplorable 'cookie method' we just saw from Bell Canada. All you Comcast customers and friends of Comcast customers who want to get out of this, go here to opt out. Is there anything that can be done to stop (and reverse) this DNS breakage trend that the ISPs seem to be latching onto lately? Maybe the latest net neutrality bill will help." Update: 08/05 20:03 GMT by T : Here's a page from Comcast with (scant) details on the web-jacking program, which says that yesterday marked the national rollout.

Very Simple Answer

[IBitOBear]

DNS is supposed to tell you (essentially) "no such domain name registered" when you try to find a domain name.

IFF (e.g. if and only if) DNS _only_ serviced web browsers, then one noise-page (my adverts here) is no different than any other noise page (no such name) because a human is going to go "oh, that's not what I was looking for".

But there is a heck of a lot more going on out here in the internet than just web browsing, and significant portions of it hinge on getting true and correct answers from the DNS system.

With DNS boned-up to return false positives on all names, then money can be stolen from you, the causal web browser. For instance, I send you an email from support@bankofamercia.com; you don't notice the transposition of letters, your spam filter looks up bankofamercia.com and the DNS service return as IP address instead of no such address, that address is the same one as I spoofed in the email, the spam filter says its a good email, you get owned.

Okay, that _is_ contrived, so try this instead...

It's 1964. You are at a pay phone. Your car has broken down. It's your last dime. You call home, but mis-dial a number that doesn't exist and you get a busy signal, and you get your dime back. You call home again and get help. The system worked.

It's 1964. You are at a pay phone. Your car is broken down. It's your last dime. You call home, but mis-dial a number that doesn't exist and some random person answers and proceeds to try to sell you car wax. Your dime is gone. You are still stuck. The system has failed.

Imagine your life if you _never_ got a busy signal. You call any extension in any company and you get to leave a voice mail but nobody will ever get that message. It would be living hell.

Worse yet, you run a small company, you may a small number of sales each month that are vital to your companies survival. You invest in an expensive advertisement on the superbowl and everything goes great. Then your DNS server dies. Now there is nobody to answer the proper DNS queries. The DNS squatter wakes up and since mylittlecompany.com no longer resolves, all that traffic goes to the Comcast Advertisement Shill page. In just a few minutes you get your DNS server working again, but everyone who got the bogus page thinks your company is trying to sell comcast telephone service and web search services and you never go that business. You are out big cash and your name is ruined. IF the spamvertisement page hadn't been there, those people might instead be thinking "wow, this service is so popular I cannot get in, maybe I'll try back in a bit" instead of "why did comcast decide to take out a superbowl ad that made it look like they sold that interesting little product?"

In short, what if every time your cell phone couldn't be found (because it was off or the battery died etc) the people trying to call you got silently redirected to a random "service" of the type one sees on late night television, offering jokes or sex chat, ostensibly in your good name?

That's what is wrong with doing that.

Re:Treewalk or OpenDNS

[Sir_Lewk]

DNS hijacking isn't evil because the companies that do it is evil. It's evil because it breaks standards, and therefore breaks all sorts of other crap.

It doesn't matter what company does it, it's still fucked up. To suggest that OpenDNS breaking standards is any better than Comcast breaking standards is just plain stupid and clearly missing the point entirely.