Slashdot Mirror
Comcast the Latest ISP To Try DNS Hijacking
A semi-anonymous reader writes "In the latest blow to DNS neutrality, Comcast is starting to redirect users to an ad-laden holding page when they try to connect to nonexistent domains. I have just received an email from them to that effect, tried it, and lo and behold, indeed there is the ugly DNS hijack page. The good news is that the opt-out is a more sensible registration based on cable modem MAC, rather than the deplorable 'cookie method' we just saw from Bell Canada. All you Comcast customers and friends of Comcast customers who want to get out of this, go here to opt out. Is there anything that can be done to stop (and reverse) this DNS breakage trend that the ISPs seem to be latching onto lately? Maybe the latest net neutrality bill will help." Update: 08/05 20:03 GMT by T : Here's a page from Comcast with (scant) details on the web-jacking program, which says that yesterday marked the national rollout.
You're IT for a business. You have employees who check their e-mail from home, accessing your stuff via a split tunnel VPN.
The computer tries to resolve internalmail.company.com, and normally this should fail, causing the computer to try the VPN's DNS server.
Instead, your employee's computer gets Comcast's search page server. Their mail client times out.
You get inundated with tech support calls.
I've always used a linux box as my firewall /router box at home, and I've been running BIND as a caching DNS server. Fortunately this won't affect me, as I totally bypass spamcast's bullshit.
Lawyers, MBA's, RIAA? A jedi fears not these things!
It's a split tunnel VPN...
That means first it tries to use the internet, then it tries the VPN. If I lookup foo.bar, and foo.bar doesn't resolve, it then tries on the VPN's DNS. That helps keep external traffic off the VPN. Internal traffic is still safe.
Of course, if foo.bar instead of not resolving--points to comcast--then I never do the lookup...and the VPN ...is broken.
To use an example from my company, we have many users with laptops. We have set up MS Outlook on these systems to use Outlook Anywhere. The way Outlook Anywhere works is that is first tries to connect to the internal mail server (mail.company.inside) and if it can't connect to that then tries the external mail sever for an Outlook Anywhere connection (mail.company.com). With a properly set up and unmunged DNS, when they are at home it tries to connect to the internal server and gets a DNS not found response and then tries the external server. With this new bothced DNS setup, it tries the internal server and gets an IP address response, so it tries to connect to that server to retrieve it's email. Unfortunately, the DNS sends the IP address of the web server that serves up it's ad page, so Outlook sits and times out waiting for a response, meaning these people can't get their email from home.
Yes, this could be worked around by host files, but we are 1000 person company. Why would we want to try setting up local host files on these systems that then have to be updated whenever we change servers just because an ISP doesn't want to set up DNS based on the proper specs?
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
The name of the box is, of course, irrelevant. But you still have it wrong: Comcast's DNS server isn't affecting the company's internal DNS server, it is affecting their customer's box, who is your employee, making it so that they never query your internal DNS server.
This happens precisely because they don't know anything about the internal network, and yet they are telling your employee they do.
'Sensible' is a curse word.
DNS is supposed to tell you (essentially) "no such domain name registered" when you try to find a domain name.
IFF (e.g. if and only if) DNS _only_ serviced web browsers, then one noise-page (my adverts here) is no different than any other noise page (no such name) because a human is going to go "oh, that's not what I was looking for".
But there is a heck of a lot more going on out here in the internet than just web browsing, and significant portions of it hinge on getting true and correct answers from the DNS system.
With DNS boned-up to return false positives on all names, then money can be stolen from you, the causal web browser. For instance, I send you an email from support@bankofamercia.com; you don't notice the transposition of letters, your spam filter looks up bankofamercia.com and the DNS service return as IP address instead of no such address, that address is the same one as I spoofed in the email, the spam filter says its a good email, you get owned.
Okay, that _is_ contrived, so try this instead...
It's 1964. You are at a pay phone. Your car has broken down. It's your last dime. You call home, but mis-dial a number that doesn't exist and you get a busy signal, and you get your dime back. You call home again and get help. The system worked.
It's 1964. You are at a pay phone. Your car is broken down. It's your last dime. You call home, but mis-dial a number that doesn't exist and some random person answers and proceeds to try to sell you car wax. Your dime is gone. You are still stuck. The system has failed.
Imagine your life if you _never_ got a busy signal. You call any extension in any company and you get to leave a voice mail but nobody will ever get that message. It would be living hell.
Worse yet, you run a small company, you may a small number of sales each month that are vital to your companies survival. You invest in an expensive advertisement on the superbowl and everything goes great. Then your DNS server dies. Now there is nobody to answer the proper DNS queries. The DNS squatter wakes up and since mylittlecompany.com no longer resolves, all that traffic goes to the Comcast Advertisement Shill page. In just a few minutes you get your DNS server working again, but everyone who got the bogus page thinks your company is trying to sell comcast telephone service and web search services and you never go that business. You are out big cash and your name is ruined. IF the spamvertisement page hadn't been there, those people might instead be thinking "wow, this service is so popular I cannot get in, maybe I'll try back in a bit" instead of "why did comcast decide to take out a superbowl ad that made it look like they sold that interesting little product?"
In short, what if every time your cell phone couldn't be found (because it was off or the battery died etc) the people trying to call you got silently redirected to a random "service" of the type one sees on late night television, offering jokes or sex chat, ostensibly in your good name?
That's what is wrong with doing that.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Using DNS lookups to tarpit certain kinds of spam. If everything resolves, then such methods simply fail.
Besides, interfering with DNS resolution is just plain bad. Quite frankly, I wish we had an organization controlling the root servers that had a backbone, and would simply stop answering queries from any network that decided to interfere with DNS resolution.
The world's burning. Moped Jesus spotted on I50. Details at 11.
HOLY FUCKING SHIT
STOP SUGGESTING OPENDNS, THEY DO THIS SHIT TOO.
Excuse my while I go blow a bloodvessel. Every single time a story like this comes up some idiot suggests OpenDNS and idiot mods initially mod them up.
I'd link where this happened last time but for the life of me I can't figure out how to view more than my several dozen posts.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
DNS hijacking isn't evil because the companies that do it is evil. It's evil because it breaks standards, and therefore breaks all sorts of other crap.
It doesn't matter what company does it, it's still fucked up. To suggest that OpenDNS breaking standards is any better than Comcast breaking standards is just plain stupid and clearly missing the point entirely.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)