Slashdot Mirror
Reports of IE Hijacking NXDOMAINs, Routing To Bing
Jaeden Stormes writes "We just started getting word of a new browser hijack from our sales force. 'Some site called Bing?' they said. Sure enough, since the patches last night, their IE6 and IE7 installations are now routing all NXDOMAINs to Bing. Try it out — put in something like www.DoNotHijackMe.com." We've had mixed results here confirming this: one report that up-to-date IE8 behaves as described. Others tried installing all offered updates to systems running IE6 and IE7 and got no hijacking.
Update: 08/11 23:24 GMT by KD : Readers are reporting that it's not Bing that comes up for a nonexistent domain, it's the user's default search engine (noting that at least one Microsoft update in the past changed the default to Bing). There may be nothing new here.
Update: 08/11 23:24 GMT by KD : Readers are reporting that it's not Bing that comes up for a nonexistent domain, it's the user's default search engine (noting that at least one Microsoft update in the past changed the default to Bing). There may be nothing new here.
So it looks like its not Microsoft's fault in -my case-.
This is my sig.
I mean really. We can get a page telling us the site doesn't exist, or we can be re-directed to a search engine which can help us find what we were looking for. Yeah it helps pimp Microsoft, but I figure if you are using their browser, it is fair game.
I'm pretty sure that if you had the Google Search Provider add on for IE, and made it your default search provider, it would do the same? Hasn't that always been the case for Non-existant domains?
I mean, its IE, and its microsoft - all they're basically doing is providing the "Microsoft Add On" in their versions of IE.
It isn't actually Bing that it goes to, it is whatever your default search provider is. Now that is Bing by default, but you can change it to anything you want. IE8 asks you during setup, and you can change it later. So if you change it to Google and enter a non-existent domain, it'll send you to Google with a search for that.
Similar to how Firefox works, just in more cases. In FF, if you enter a name with no domain, it tries some popular ones like .com. If it can't find any, it then does a search in your default provider. IE is doing a similar thing, but doing the search even if you do enter a domain.
IE 6 and 8 (don't use 7 anywhere). Both redirected to BING ....
The funniest thing we have ... our filter (k-12 schools) blocks BING LOL. ... here is the report ...
Category: Image Servers & Image Search Engines
Blocked URL: http://www.bing.com/search?FORM=DNSAS&q=www.DoNotHijackMe.com&adlt=strict
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Yet another stupid, linkless, flamebait article.
Come the fuck on guys.
IE is - as stated above - being helpfull, as a program should be. It is not a "hijacking" since the program requesting the DNS-lookup is IE. This is nothing like having NXDOMAIN, transparently, changed into something it isn't on the network-level.
In one case the program gets to decide what to do and in the other someone else is telling your program that the expected result is something else.
//Patrik Graeser
IE 6 has always been doing stuff on auto.search.msn.com if you entered URLs whose domain name didn't exist.
This is not news.
Nothing to see here, move along.
Comment removed based on user account deletion
It breaks really shittily configured VPN clients/networks in a BIG way.
WTF is your VPN doing attempting to resolve VPNed hostnames through your default ISP connection, rather than using a nameserver on the VPN? I'd fire your network security guy, before you get bitten in a big way by a DNS "MITM" - I use quotes because it's really Man In The Wrong Place At The Right Time Who Gets Lucky Because Of An Insecure VPN, but that's not quite as catchy.
I just tried it = www.DoNotHijackMe.com in IE8 and Google loaded.
It's caused by a setting Tools -> Internet Options -> Advanced -> Search Options and "Just Display the results in the main window" is selected. If "Do not submit unknown addresses to your auto-search provider" is selected, if it can't find an address it submits it to your default search provider.
No mystery.
Comment removed based on user account deletion
I thought that was the ignorance siren that I heard. Where do I start?
150 million wasted on the latest rebranding of their failed search product. No effect on marketshare
Actually, it stole a percentage point of Google's market share last month. I don't think anybody expected it to gain 70% market share overnight. Except maybe you?
Mass numbers of suspicious posts on Net messageboards all parroting the same talking points: "I'm a long time Google users and I decided to give Bing a try and By Golly! I'm switching!"
Suspicious? Really? I saw somebody the other day on a Macbook Pro using Bing willingly. It's anecdotal evidence. There's nothing suspicious about it. It happens to some people, not everyone. I'm sure there are people who used Live Search before and switched to Google or Yahoo.
Paying floundering Yahoo to use their search engine
I won't argue with the state of Yahoo, but this has the potential to double the usage of Bing, and make it a much more formidable opponent to Google. It was a good deal.
* Putting up fake news story items on Microsoft web pages that are really nothing more than hidden Microsoft search links attempting to inflate the search marketshare
Haven't seen an example of this yet. Provide one and I'll yield this point.
* And now this crap The rate Ballmer is throwing billions at their failed search efforts looks like it may actually outdo Microsoft 8 year long Xbox fiasco for.
Read the first few comments - it goes to your default search provider, which is Google if you set it to. And I hate to be the bearer of bad news for your anti-Microsoft sentiments, but the XBox division is doing pretty well for itself right now. They've made Sony a laughing stock this generation.
"It's a reverse vampire...they....they crave the sun!"
Comment removed based on user account deletion
Well even more to the point IMO: IE isn't "hijacking" NXDOMAIN because IE is the program you're requesting the domain from. Saying IE is hijacking your domain query is a little like claiming the normal pilot of a plane is hijacking it whenever he flies. No, he's not, he's the pilot. It's kind of his job.
What I mean is, if I dropped to the command prompt and typed "nslookup [whatever]", is IE changing the results that I get? If not, then it isn't really fair to say they're "hijacking" anything. If you're typing a domain into your address bar of your browser, and you want something to figure out what you're trying to type and possibly redirecting to a search engine, then the browser is the appropriate place for that to happen. The complaints about DNS "hijacking" is because it's being done by the DNS server and not the browser, but the browser is actually the right place for this to happen.
Now maybe they should offer the option to turn this on or off, but really as long as they're respecting your choice in search engines, I don't think there's a problem. It's a little like complaining that Firefox's Awesome Bar tries to guess what sites you're trying to find.
Every time an ISP starts hijacking NXDOMAIN responses, dozens of comments suggesting that this should not be done by the ISP but in the browser get modded +5 and are generally agreed with.
So MS made their browser do it. What is the problem?
(Other than using a monopoly in one market to get one in another.)
Go green: turn off your refrigerator.
Comment removed based on user account deletion
Most if not all versions of IE (6+, and probably older ones too) have a feature called search from address bar. With this setting enabled, anything typed in the address bar which does not resolve to a website, is passed on to the default search engine, whichever that may be.
Perhaps a recent update turned this feature ON for people who had it turned OFF? But the feature itself is most definitely not new or news.
I liked my next sig a lot better
Its really nothing worth getting upset about. Lot's of smart people mix that one up.
Woooos'h!
How many people can read hex if only you and dead people can read hex?
Because somehow on Windows 7, Firefox is doing the same thing now, and Google is the default search engine.....
Seriously, how many bad articles does this guy have to post before he gets thrown off the slashdot team?
BeauHD. Worst editor since kdawson.
Well, if you get in a cab, and tell the drive to drive... he say's where to, you say "I-Just-Dont-Exits.com" and he says, he doesn't know that place and gives you some search results instead isn't really hijacking.
Michael J. Ryan - tracker1.info
It is if he drives you to the library to look it up, which is what IE is doing by redirecting you to bing.
I think you've grabbed every DNS-related RFC you can find, hoping that I had not read them. I have, and so I will ask you to be more specific. Which part of RFC 2065 (DNSSEC) is violated? Are you suggesting that IE is a poorly-implemented DNS caching server which does not cache negative results (RFC 2038)? I'm particularly curious why you cited RFC 1536. Did the subject of the conversation turn to whether IE is appending your local domain to DNS queries for non-explicit FQDNs?
The only specific citation you've made from the DNS-related RFCs is about structuring the DNS header. I have yet to see anyone point to any claim that IE sends improperly formatted DNS headers. What they ARE doing is presenting your NXDOMAIN result accompanied by results for a search on the missing domain.
I still do not see a standard which requires a browser or other application's response to an NXDOMAIN to not accompany it with search results, and I do not believe one exists. If your script relies on IE presenting NXDOMAINs in a specific way, then you have a badly-written script, and you shouldn't have expected it to keep working.
What is WRONG with you people? Why do you real Slashdot stories like this one and instantly come to the conclusion that the story is accurate? Or even remotely true?
Look, maybe this is your first day, so let me clarify it: Every story on Slashdot about Microsoft is at least misleading; most are outright false . Repeat that mantra a few times until it sinks in.
No, this isn't Microsoft "going back to their old ways." This is some moron finally discovering a feature that IE has had since version 6, and possibly before, and going off on some crazy rant with no basis in truth. IE is only redirecting people to Bing because Bing is set to the default search provider!
Please, please, I beg you, DO NOT BELIEVE EVERYTHING YOU READ. In fact, on Slashdot, don't believe *anything* you read unless it's been confirmed elsewhere.
Comment of the year
To me, this would be a legitimate practice PROVIDED that they first ask the user. Ideally, this feature would be off by default, the user would first enable the feature and would then get to choose the search engine that it uses. I'd have no problem with that.
They ask the user when the software is run for the first time you dumb son of a bitch,
Domain hijacking is a huge deal for me.
Your description is confusing the browser trying to resolve your broken DNS request with an ISP hijacking your DNS request.
Primarily, when I'm on an internet connection that's hijacking the domain, if I type 'amazon', firefox first checks if I have an amazon in my searchdomain (ie: amazon.example.com)
No. When you're on an internet connection that's hijacking the domain, amazon resolves to a 'service' provided by your ISP even though it's not a registered domain.
, and if not, it tries adding a .com, then a www. and a .com...
What you mean is that if your ISP's DNS service works correctly and tells you that amazon.com doesn't exist, your web browser (Firefox in this case) has some heuristic for trying other DNS queries in an attempt to help you, and when those queries are exhausted it takes you to a search engine.
if the ISP is hijacking it, I get an answer to 'amazon' with the hijacked page. This means that I have to type the .com every time.
Which is what you should have written first.
So you have to type .com when you mean amazon.com. Yeah, that's like saying that I have to write Plymouth, MA next to 02364 on my address. The postal service is run by people, and usually, they can figure it out, but if the address is wrong, it's your fault, even if they helpfully fix it for you.
with a browser doing the same thing, I could be trying to connect to my primary server (wolverine) and if I mistype the webaddress, it redirects me to bing, changing my URL bar to the bing URL which means that when I've typed 'wolverine/some/really/long/path?with=variables' I have to go type that whole thing over again to correct it rather than just fixing it in the addressbar.
So turn off the feature which searches with the default search engine when your DNS query fails.
If you want to bypass DNS for your machines, put your own entries in your "/etc/hosts file" (%WINDIR%\System32\drivers\etc\hosts on Windows). Also, you can run your own DNS service locally.
so, hijacking the DNS is a BITCH and is totally annoying all the time.
Only if you aren't technically savvy enough to use a web browser. After you type amazon.com in once into IE or Firefox or Chrome these days, the autocompletion helpers from your recent history usually have enough context that shift+enter (in IE anyway, not sure about the others) takes you where you want to go.
The real problem with DNS servers hijacking broken requests is that they lie to network tools, not just web browsers. This can cause serious problems. DNS is used for more than just HTTP.
(original poster here) You're right, I'm not as up on the networking side as I am the code side, and I didn't use the correct terminology when I said "hijacking". However, the NXDOMAIN stuff was added by someone else who edited my post before putting it up on the site; I haven't the slightest idea what NXDOMAIN even is. So yes, I'm ignorant in that regard, but not so much so as to throw out terms I don't understand and give a wildly false report.
I wouldn't be so quick to jump on the editor for this. I saw your original post on the Firehose, in which you claimed Microsoft is redirecting 404s -- this would be monstrous and bad, and while "hijack" is a term you can quibble over, your original report was significantly more dire, and objectively false. A 404 is the HTTP response when you ask for a file that's not on the server. In this case, we don't even get as far as asking the server for the non-existent file, because we can't find its IP -- so we get the 404's cousin in DNS, the NXDOMAIN. The editor caught your mistake and corrected it.
Basically, what it's done is force-feed all of our machines Bing as a default search engine (it had been Google). It's one thing if it shipped that way, but this just happened all of a sudden and our sales force (who are not exactly IT-savvy) freaked out and started calling in virus reports when the behavior changed without warning.
Sorry for the confusion. Still, sucks what they did.
If I understand you right, you're saying that your salespeople were used to being directed to Google. So, you guys were already comfortable with this behavior from a technical standpoint, and you're annoyed that it changed from Google to Bing. I'm not an IE user, so I don't know exactly how this behavior worked, but I wouldn't be at all surprised if I were in your position and learned that Microsoft has decided to stop using their browser to promote their competitor in favor of their new product.
From reading the comments here, if you don't want it to use Bing, you can tell your sales guys to set Google as their default browser, because it sounds like that's what it's redirecting to. And as a guy who really dislikes Windows, IE and Microsoft in general, let me say that sounds like a reasonable enough deal.
Even if you were more right, I'd rather side with him since he can spell.
What was being corrected was ISP for DNS. I don't believe the presence of an apostrophe was the issue the poster was addressing. If you choose to believe a message based on the correctness of punctuation, or even spelling, rather than examining the truth of its (how tempted I was to write it's just to annoy you!) semantic content, you are systematically deluding yourself.
Otherwise well informed people make spelling mistakes. Highly intelligent people make spelling mistakes. People who know how to spell make typos. People who are on the losing side of an argument clutching at straws invest such mistakes with an importance they do not possess.
Better to be despised for too anxious apprehensions, than ruined by too confident a security. --Edmund Burke
Then Firefox is doing something wrong.
I'm using build 7100, Opera, IE8 (version 8.0.7100.0 - no updates available on Windows Update), Chrome (2.0.172.39) and Firefox.
Going to http://3.se (.se domains require a minimum of 3 characters, so this cannot ever resolve) in Opera gives me:
In IE8, Google as default provider gives me http://www.google.com/search?q=3.se&rls=com.microsoft:da&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1 which makes sense, as it's searching for the unresolved domain through Google.
Chrome gives me
Firefox 3.5.2 gives me
Safari gives me
In other words, unless you messed up your Firefox install, nothing on Windows 7 makes Firefox (or any other browser) use Bing as a search engine unless you've asked it to. The only reason IE8 even uses Google as the search engine is because I asked it to when I set it up.
None of the browsers have this issue. They all try to resolve http://3.se/ and http://www.3.se/ but like I said, that domain cannot ever exist as a legitimate domain, so it fails. All the browsers are doing what they've been told to do.
The only thing I can think of, that you may have done to make your Firefox installation use Bing for the searches, is if you asked it to import settings from another browser (IE) which used Bing as its search provider. Are you sure the only thing you did was update Windows and not Firefox? Maybe an update would trigger the question again (I haven't a clue, I don't use it)? Or a fresh install or a misclick somewhere in its settings?
No they default to doing it. See browser.fixup.alternate.enable in Firefox which defaults to true. Set it to false and 3.se will just try 3.se and nothing else.
The search is also the default but can be turned off with keyword.enabled false.