Slashdot Mirror
Reports of IE Hijacking NXDOMAINs, Routing To Bing
Jaeden Stormes writes "We just started getting word of a new browser hijack from our sales force. 'Some site called Bing?' they said. Sure enough, since the patches last night, their IE6 and IE7 installations are now routing all NXDOMAINs to Bing. Try it out — put in something like www.DoNotHijackMe.com." We've had mixed results here confirming this: one report that up-to-date IE8 behaves as described. Others tried installing all offered updates to systems running IE6 and IE7 and got no hijacking.
Update: 08/11 23:24 GMT by KD : Readers are reporting that it's not Bing that comes up for a nonexistent domain, it's the user's default search engine (noting that at least one Microsoft update in the past changed the default to Bing). There may be nothing new here.
Update: 08/11 23:24 GMT by KD : Readers are reporting that it's not Bing that comes up for a nonexistent domain, it's the user's default search engine (noting that at least one Microsoft update in the past changed the default to Bing). There may be nothing new here.
It isn't actually Bing that it goes to, it is whatever your default search provider is. Now that is Bing by default, but you can change it to anything you want. IE8 asks you during setup, and you can change it later. So if you change it to Google and enter a non-existent domain, it'll send you to Google with a search for that.
Similar to how Firefox works, just in more cases. In FF, if you enter a name with no domain, it tries some popular ones like .com. If it can't find any, it then does a search in your default provider. IE is doing a similar thing, but doing the search even if you do enter a domain.
Most if not all versions of IE (6+, and probably older ones too) have a feature called search from address bar. With this setting enabled, anything typed in the address bar which does not resolve to a website, is passed on to the default search engine, whichever that may be.
Perhaps a recent update turned this feature ON for people who had it turned OFF? But the feature itself is most definitely not new or news.
I liked my next sig a lot better
I think you've grabbed every DNS-related RFC you can find, hoping that I had not read them. I have, and so I will ask you to be more specific. Which part of RFC 2065 (DNSSEC) is violated? Are you suggesting that IE is a poorly-implemented DNS caching server which does not cache negative results (RFC 2038)? I'm particularly curious why you cited RFC 1536. Did the subject of the conversation turn to whether IE is appending your local domain to DNS queries for non-explicit FQDNs?
The only specific citation you've made from the DNS-related RFCs is about structuring the DNS header. I have yet to see anyone point to any claim that IE sends improperly formatted DNS headers. What they ARE doing is presenting your NXDOMAIN result accompanied by results for a search on the missing domain.
I still do not see a standard which requires a browser or other application's response to an NXDOMAIN to not accompany it with search results, and I do not believe one exists. If your script relies on IE presenting NXDOMAINs in a specific way, then you have a badly-written script, and you shouldn't have expected it to keep working.
Domain hijacking is a huge deal for me.
Your description is confusing the browser trying to resolve your broken DNS request with an ISP hijacking your DNS request.
Primarily, when I'm on an internet connection that's hijacking the domain, if I type 'amazon', firefox first checks if I have an amazon in my searchdomain (ie: amazon.example.com)
No. When you're on an internet connection that's hijacking the domain, amazon resolves to a 'service' provided by your ISP even though it's not a registered domain.
, and if not, it tries adding a .com, then a www. and a .com...
What you mean is that if your ISP's DNS service works correctly and tells you that amazon.com doesn't exist, your web browser (Firefox in this case) has some heuristic for trying other DNS queries in an attempt to help you, and when those queries are exhausted it takes you to a search engine.
if the ISP is hijacking it, I get an answer to 'amazon' with the hijacked page. This means that I have to type the .com every time.
Which is what you should have written first.
So you have to type .com when you mean amazon.com. Yeah, that's like saying that I have to write Plymouth, MA next to 02364 on my address. The postal service is run by people, and usually, they can figure it out, but if the address is wrong, it's your fault, even if they helpfully fix it for you.
with a browser doing the same thing, I could be trying to connect to my primary server (wolverine) and if I mistype the webaddress, it redirects me to bing, changing my URL bar to the bing URL which means that when I've typed 'wolverine/some/really/long/path?with=variables' I have to go type that whole thing over again to correct it rather than just fixing it in the addressbar.
So turn off the feature which searches with the default search engine when your DNS query fails.
If you want to bypass DNS for your machines, put your own entries in your "/etc/hosts file" (%WINDIR%\System32\drivers\etc\hosts on Windows). Also, you can run your own DNS service locally.
so, hijacking the DNS is a BITCH and is totally annoying all the time.
Only if you aren't technically savvy enough to use a web browser. After you type amazon.com in once into IE or Firefox or Chrome these days, the autocompletion helpers from your recent history usually have enough context that shift+enter (in IE anyway, not sure about the others) takes you where you want to go.
The real problem with DNS servers hijacking broken requests is that they lie to network tools, not just web browsers. This can cause serious problems. DNS is used for more than just HTTP.