Slashdot Mirror
ISP Is Bypassing Firefox's Location Bar Search
It was only a matter of time before ISPs began doing more than just redirecting failed DNS requests to their own pages.
An anonymous reader writes "It looks like the largest ISP in Hong Kong has started bypassing search results from Firefox's location bar (which typically uses Google), forcing their own search provider (yp.com.hk) onto their users. ... Can an ISP just start re-directing search traffic at will?"
Exhibit A: OpenDNS
http://forums.opendns.com/comments.php?DiscussionID=226
This IS Slashdot right? Let's look at the technical limitations here. As long as your ISP does not block DNS requests then you can use any DNS provider you want and therefore bypass any redirection. If an ISP started blocking the use of other DNS server then I'd say it's time to jump ship.
My US ISP recently started doing this (windstream.com). This was done without any real notice and turned on by default. Granted, there is a link in the redirected search results to turn it off.
It's PCCW. What I have heard is they are hijacking NXDOMAIN, but not sure about redirecting the location bar. Maybe Firefox will try to lookup for domain for single name hostname, hence giving an impression that it redirects if your "search term" is just one word.
They don't block DNS requests, they just send all port 53 traffic to their DNS server.
There are a lot of areas with a single good internet option (where 'good' means decent bandwidth and latency). Jumping ship may not be a realistic option.
Indeed, the poster only discusses what happens when he puts the name of a website into Firefox's address bar. By default, that will carry out a DNS lookup and if that lookup fails, Firefox will redirect to a Google "I'm feeling lucky" result.
Lots of ISPs are intercepting failed DNS requests and injecting their own ad page, there's usually a way to bypass this.
What firefox does is first try to do DNS lookups for:
foo
foo.com
www.foo.com
before launching the google search.
Thus NXDOMAIN wildcarding (which is unfortunately growing very common, distressingly so in our data) will mess up the firefox behavior by causing one of the three names to resolve to the "helpful" search page belonging to the ISP.
Test your net with Netalyzr
Heck, it happens here in the USA. I'll name names too - Windstream Communications. As of a couple months ago they started redirecting our google search bars to their custom search portal. Annoyed the hell out me. Emailed, but apparently got dumped into the bucket of spam/"unhappy customer, please ignore".
Despite the handover in 1997, Hong Kong is still very much its own entity, sharing more in common with Seoul and Tokyo than with, say, Shanghai. They have protests, marches, and as far as I could tell the internet wasn't subject to the Great Firewall. Having been there three months ago and a wife there now, I *think* I can say that much.
I don't know what kind of crack I was on, but I suspect it was decaf.
This isn't new, and this isn't NXDOMAIN hijacking. Windstream, a US DSL provider, was already caught red-handed doing this. Not only this but they also refuse to answer very specific questions asked (see http://www.dslreports.com/forum/r24059591-DPILayer7NXDOMAIN-Privacy-questions-re-Windstream-DSL) and provide a paper-thin excuse as to why it's happening (see http://www.dslreports.com/forum/r24074065-Our-Response-to-Redirect-Service-Concerns).
Affected users are not using the ISP's DNS servers, this is not NXDOMAIN hijacking. This is layer 7 inspection, the sheer fact the URL was transformed, being carefully re-written, from the URI passed to 'www.google.com' discredits what Windsteam has said entirely.
When a user performs a search using the Firefox search bar against Google HTTP/1.1 is used with an HTTP method of GET against Google. The following URI is constructed:
q=[search critera]
ie=[encoding]
oe=[encoding]
aq=
rls=[browser]
So, when I search against Google I pass ?q= for my search term.
When this is redirected to searchredirect.windstream.net the URI is transformed, with the ?q= parameter being extracted. Windstream's site uses this URI structure:
search=[search criteria]
src=[interger value, likely points to an RDBMS based on HTTP_REFERER]
Windstream is not disclosing the truth. For this behavior to occur you would have to be using an MITM proxy or DPI; either way they are inspecting layer 7 traffic, extracting the ?q= URI string passed to Google, and either transparently or via HTTP 302 redirecting customers to searchredirect.windstream.net
They got caught, red handed, and have been fabricated mis-truths from the start.
How HTTP/1.1 GET against /search?q=my_search_term becomes /search.php?search=my_search_term without some form of Layer 7 is impossible. This CANNOT be NXDOMAIN.
Clearly they're not disclosing the full details or hiding behind careful sentence structure and semantics. This appears that there is now an industry initiative and a company behind this search harvesting and privacy invasive technology which is being sold to ISPs. Expect more to come, this isn't isolated to over-seas, it's already happening right here in the US.
-SirMeowmix_I
Confirmed this with a few of my friends who are using PCCW Netvigator. I have the same ISP, but use OpenDNS, so haven't notice anything was amiss for some time.
(This is also a single post on a forum from one user... ;-p)
I'm in Hong Kong and I use that ISP mentioned in the article at home.
Never noticed the change because I've set my DNS servers to google's, but now that I test it out, my ISP's servers do seem to be returning 203.198.80.* in place of NXDOMAIN.
Fuck.
Don't quote me on this.
Like another poster also pointed out: Hong Kong is not China. It is politically part of China, but for all practical reasons it acts as a different country (and you as not being involved in the world political stage should simply consider it as such, much closer to the everyday reality):
Separate currency, the Hong Kong dollar, linked at 7.8 to the US dollar and fully convertible (can't say that of the yuan).
Borders with China. I am Hong Kong resident, and still need to buy a visa to enter China.
Hong Kong is a free port for import and export of goods and services. China is pretty thoroughly locked down, import duties of goods to China are huge. Really.
Hong Kong has an open, accountable judiciary, with a strong respect for the rule of law. The exact opposite of the other side of the border.
Hong Kong has press freedom, and not just official.
Hong Kong people have the right to demonstrate, and do so. In 2003, half a million people took to the streets - or about 7% of the total population. It sent shock waves throughout the country, all the way to Beijing. Something like that would never be allowed in China.
And last but not least Hong Kong has the permission from Beijing's overlords to move towards full democracy.
Nope, sure doesn't. And they can sniff out a DNS request even if you find a DNS host that was amiable to using another port.
So what you really need as a DNS service that sends and receives encrypted requests over a non-standard port.
Then you can get around it. Hosting your own DNS does no good, as it still comes through your ISP's DNS first. Hard-coding Google's IP address would work short term for Google search, but if it catches on they'll just start redirecting all Google traffic instead of just DNS requests.
My host only reroutes failed DNS requests to their own shitty search, but it's still annoying as hell.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
My ISP (Frontier) was doing this as well, even worse, when you opted out you still actually got the wrong response from DNS, it would detect your browser and give back an error page that looked similar, but not quite the same (at least that's what it did for Firefox). I noticed because the error page looked a little different and the URL was clearly wrong. I ended up switching to Google DNS until my contract was up, and then switching to the local cable monopoly (I suppose they do something similar, but I haven't noticed since I'm still using Google).
However, I'm obviously a lot more technically savvy than the average user, or even the average tech support person (they couldn't understand the problem). ISPs shouldn't be doing this, router manufacturers should start shipping their products to default to Google DNS, it's faster anyway.
The right to protest the State is more sacred than the State.
DNSSEC prevents tampering, if I understand it right. If you request an answer from server X, the client won't accept a server from any other server, thus prevent man-in-the-middle attacks like this.
Alternatively, you can redirect all or part of the traffic through a VPN or secure proxy. Even Tor, if you compensate the long delays with some DNS caching, as provided by pdns or other caching server (even if you don't need it, it's awesome, I tell you! Every request after the first takes 0ms).
Dilbert RSS feed
Actually this has everything to do with network neutrality. The ISP went into a business relationship with a search engine and then changed all the DNS entries to redirect all traffic from all other search engines to the one they have a business relationship with. That isn't a "hacked" connection, that was packet re-prioritization at the ultimate level. Instead of sending the packets to where the user wanted, the ISP sent them to their own service to make more money from their services (thru ads etc.), and away from a competing service. That is the very definition of a NON-neutral net, since they are being HOSTILE to other networks and services.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"