How One Man Fought His ISP's Bad Behavior and Won

An anonymous reader writes "Eric Helgeson documents his experience with an unscrupulous ISP that was injecting affiliate IDs into the URLs for online retailers. 'It appears that the method they were using was to poison the A record of retailers and do a 301 redirect back to the www cname. This is due to the way apex, or 'naked' domain names work.' Upon contacting the ISP, they offered him access to two DNS servers that don't perform the injection, but they showed no indication that they would stop, or opt-out any other subscribers. (It was also the only wireless provider in his area, so he couldn't just switch to a competitor.) Helgeson then sent the data he gathered to the affiliate programs of major retailers on the assumption that they'd be upset by this as well. He was right, and they put a stop to it. He says, 'ISP's ask you to not do crummy things on their networks, so how about they don't do the same to their customers?'"

Use public DNS

[DigiShaman]

Google DNS is 8.8.8.8. and 8.8.4.4
Open DNS is 208.67.222.222 and 208.67.220.220

Norton Safe Connect (personal use, not for business) is 199.85.126.10 and 199.85.127.10. Supposed to protect against malware, phishing sites, and scams.
https://dns.norton.com/dnsweb/homePage.do

Re: Use public DNS

[corychristison]

Personally use 4.2.2.[1-6]
I think they are provided by Level 3. Get great response time here in the Canadian Prairies.

I've never trusted my ISP's DNS servers.

Re:Use public DNS

[jones_supa]

Those work a bit slower as they are not in your network.

Re:Use public DNS

Good suggestion, but not always useful: some of scummier ISPs actually intercept and spoof DNS traffic, which is trivial to do.

Re:Use public DNS

[DigiShaman]

Depends. For many small ISPs, they are closer in hop count in the network, but often hosted on slower hardware or the cache has expired due to TTL; in which case they look up to the root servers anyways. In the case of Comcast, they're moving away from local managed DNS servers to public ones for their subscribers. In their case, that would be 75.75.75.75 and 75.75.76.76. In short, the turn around in packet responsiveness may be slower to Googles DNS servers by 20 to 30ms, but the CPU response on the backend more than makes up for it. Depending on where you live and who's your ISP, YMMV.

Re:Use public DNS

[adolf]

Those work a bit slower as they are not in your network.

Not necessarily.

Google's DNS, along with some/all of the L3 servers use Anycast to automagically find the closest one (of many), network-wise.

And in any event, they work faster than my own ISP's nameservers.

Re:Use public DNS

[Nerdfest]

You can try this tool to check your existing DNS for performance and behaviour. Google's is very well behaved by the way, so please don't spread FUD.

Re:Use public DNS

As others have mentioned, that doesn't help if your ISP is intercepting and rewriting DNS traffic. Remember that DNS is almost always UDP and pretty much always completely unencrypted.

Re:Use public DNS

[Nerdfest]

I should add that both Google DNS and OpenDNS support DNS-SEC which is nice as well. OpenDNS also supports a form of DNS request encryption which hides even the sites you go to.

Re:Use public DNS

[adolf]

A good suggestion, though I wouldn't trust Google not to do the same or worse with their DNS.

Trust? Why is trust necessary? Because it's hard to look at the address bar and see that you haven't wound up at an affiliate link?

Re:Use public DNS

OpenDNS does not support DNSSEC. They do not validate DNSSEC enabled domains, which make it quite less useful than Google's DNS server which does support DNSSEC.

For people that wander about this, DNSSEC would prevent this type of redirection attack.

Re:Use public DNS

No, Google wouldn't do that with their DNS. It'd be much easier to do that in their browser.

Re: Use public DNS

you can just run your own server and configure it with the roots. there is absolutely no
performance reason not to, unless you think you're going to get alot of cache locality
with your fellow subscribers

am i missing something? its usually just a single yum/apt-get command

Re:Use public DNS

[arth1]

You can try this [google.com] tool to check your existing DNS for performance and behaviour. Google's is very well behaved by the way, so please don't spread FUD.

I think his point was that Google's DNS is very well behaved now, but that there is no guarantee that any DNS run by a major advertisement funded business won't, in the future, be tempted to put profit over principles.
Blind trust is seldom a recipe for long term success. Uncertainty and doubt might be in order.

Re:Use public DNS

OpenDNS is a nxdomain hijacking bitch.

Re:Use public DNS

[bloodhawk]

seriously you are suggesting someone concerned about abuse of information use a google DNS Server?

Re:Use public DNS

Other dns servers as well.

Cisco
128.107.241.185
192.135.250.69

Verizon (Level3) Nameservers
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6

SpeakEasy Nameservers
66.93.87.2
216.231.41.2
216.254.95.2
64.81.45.2
64.81.111.2
64.81.127.2
64.81.79.2
64.81.159.2
66.92.64.2
66.92.224.2
66.92.159.2
64.81.79.2
64.81.159.2
64.81.127.2
64.81.45.2
216.27.175.2
66.92.159.2
66.93.87.2

ORSC Public Access DNS Nameservers
199.166.24.253
199.166.27.253
199.166.28.10
199.166.29.3
199.166.31.3
195.117.6.25
204.57.55.100

Sprintlink General DNS
204.117.214.10
199.2.252.10
204.97.212.10

Comcast
75.75.75.75
75.75.75.76

Never know when a server will be unreachable. It's nice to have a list saved locally you can lookup.

Re:Use public DNS

I think the point is that Google pwns every bit of information about you.

It's not good enough that they track you at every site that uses Analytics, every site that uses AdWords, every site you go to from their search engine, every site you visit with their Toolbar in play. (I'm forgetting a hundred other ways they suck your data.)

Nah, not good enough. Why not tell google every single DNS lookup you ever make??

Why do people mistrust the NSA so much and yet think Google is some kind of sparkly-super-shiny white hat? They work very hard to provide you with tons of free services that give them this wealth of information about you. WHY do they give you these????

Re:Use public DNS

[matria]

Well that was interesting. I don't know exactly what was going on, but when I changed by router's DNS from the default (ISP-provided) to one of these, there was a startling improvement in initial page load speeds for several sites that I checked.

Re:Use public DNS

[Pichu0102]

Downside of using shared DNS servers is that some servers, like those for Sony's PSN, try to get you to download from servers based on your DNS server.

Why? I have no clue. However, it kills your connection speed until you reset it to your local ISP's DNS servers. Be wary.

Re:Use public DNS

[Nerdfest]

Sorry, looks like I was incorrect. OpenDNS does not seem to support DNSSEC. It does support DNSCrypt.

Re:Use public DNS

[Decker-Mage]

On the other hand (I'm also an economist, sue me!), when/if Google were to try this, there would be open rebellion among the interneterati. Not that most people would even notice, but then again, they don't seem to think much, if at all, about the NSA spying scandals either. For those of us that actually might care about this, couple of clicks or one shell-script and we're invisible.

Re:Use public DNS

[Decker-Mage]

The one day I don't have mod-points. +5 ROFLMAO.

Re: Use public DNS

[Decker-Mage]

Proper configuration is the part that kills most servers and it isn't something to take lightly. Distributed Denial of Service (DNS amplification) attacks are enabled by any idiot setting up a DNS server without knowing WTF they are doing. So yeah, go ahead and do it.

Re:Use public DNS

Sorry, looks like I was incorrect. OpenDNS does not seem to support DNSSEC. It does support DNSCrypt.

And, supposedly DNSCurve - even better!

DNSSEC sucks compared to DNSCurve - it uses poor and slow crypto, it only provides signing, and it does not encrypt the channel. There is no privacy with DNSSEC!

Re:Use public DNS

[aevan]

Google hasn't (to my knowledge) black-bagged anyone.

On the other hand, there are powerpoints saying they'll hand off the info to the people who then will do it...

Re:Use public DNS

[zippthorne]

If NSA would provide a DNS that was as up-to-date and so-far non-shady as google's, people would probably use that as well.

It's not so much that google is better than the NSA, but you do have the choice not to use certain services, and it is obvious that they must be monitoring them somehow.

Other services that google uses to track you that are not opt-in are less well-liked.

Re:Use public DNS

The privacy policy for Google Public DNS is different than that for the rest of Google. It's also public. You can, you know, read it, then you can stop spreading FUD. https://developers.google.com/speed/public-dns/privacy

Re:Use public DNS

[Centurix]

Nope, even using Google's DNS won't save you: ISP's hijack DNS that aren't theirs

For me I had to use DNSMASQ on my router and add: bogus-nxdomain=209.222.14.3 to stop Telstra from "helping" my DNS requests when using 8.8.8.8 and 8.8.4.4...

Re:Use public DNS

On the other hand (I'm also an economist, sue me!), when/if Google were to try this, there would be open rebellion among the interneterati.

In light of the lack of noticeable response after Google replaced 2/3 of the search results with ads (some for third parties and some for Google's own non-search services), that seems an unlikely prediction.

Re:Use public DNS

[Runaway1956]

As Nerdfest points out, Google makes namebench available for free. It does help to locate the best DNS server available in your area. In fact, I have used namebench a number of times, and Google's servers always rank high in the results. Seldom are they "the best", but they always rank high. Depending on the criteria you use to determine "the best", there are always much worse servers than Google's. The only criteria that you might use that would ever disqualify Google's DNS servers, is if you put in "not Google". There has never been any evidence that Google misuses or abuses it's DNS servers. If you have any such evidence, I would be happy to see it.

Re: Use public DNS

[Runaway1956]

The typical workstation DNS server doesn't serve anyone outside of the local LAN. And, if it were configured to serve requests from the WAN, it's unlikely that your personal server would attract much notice outside of your LAN.

DDOS attacks don't rely on private DNS servers. It's really that simple.

Re:Use public DNS

[Runaway1956]

You may use a random server supplied by any person on the internet. Results will be random, of course. Why not use a tool designed to find the best servers FOR YOU? You could see an even greater improvement.

https://code.google.com/p/namebench/

Default ISP servers are often the worst of the worst.

Re:Use public DNS

[matria]

Thank you very much! Over the years I have gotten many useful apps and utilities from posts like this.

Re:Use public DNS

[matria]

Rather amusing. The six top recommended servers were exactly those posted above.

Re: Use public DNS

[DamonHD]

Really depends what you mean by 'private'.

I've been running my own (mine/company) Internet-facing DNS almost since there was live IP in the UK and I got caught out by this.

And I still see people regularly *trying* to use my DNS for amplification, ie probing, or at least laundering their attacks, but give up, after I made the appropriate fixes.

And I'm not alone. (See recent item on The Register for example.)

Rgds

Damon

Re:Use public DNS

[drkim]

Google hasn't (to my knowledge) black-bagged anyone...

Even if they had, where could you look it up?

Re: Use public DNS

Even if they had, where could you look it up?

Bing.

Re:Use public DNS

[AK+Marc]

198.6.1.3

NS1 for the former great UUNET. No idea who runs it now after the MCI buyout and possible transfers since, but it's never let me down.

Re: Use public DNS

Bingo.

Re: Use public DNS

was his name-ooooohhh!

Re:Use public DNS

Anyone using the google/doubleclick/nsa dns is a total and complete idiot anyway.

Re:Use public DNS

[Runaway1956]

I might suspect that you are geographically close to the poster above, then. ;)

I'm glad you found it useful!

Re:Use public DNS

[gnasher719]

You can try this [google.com] tool to check your existing DNS for performance and behaviour. Google's is very well behaved by the way, so please don't spread FUD.

"I wouldn't trust Google" isn't FUD, it's common sense. Remember that you are not Google's customer. You are Google's product.

Re:Use public DNS

For what it's worth, Google wouldn't do this particular thing with their DNS because it would put their primary source of revenue at risk and give their clients cause to demand reimbursements on previous payments.

Re: Use public DNS

[Bert64]

Even if you don't use your ISPs DNS servers, your requests are passing in the clear over their network so they could intercept or modify them should they so wish.

Re:Use public DNS

[Jon+Stone]

If a DNS reply passes DNSSEC validation, I can be confident the response is what the zone administrator wanted it to be and it hasn't been tampered with. DNSCurve provides no such assurance.

Widespread DNSSEC and client-side validation would kill OpenDNS's business model, which revolves around tampering with DNS responses. DNSCurve continues to allow them to do this.

Re:Use public DNS

[JWSmythe]

Just because it's in their privacy policy doesn't mean that it's true. ... but ... their public DNS servers do have a good response time, and don't cache too long

Re:Use public DNS

[StripedCow]

Google's is very well behaved by the way, so please don't spread FUD.

Yeah, well we all thought the NSA was well-behaved. Look how that turned out.

Re: Use public DNS

[DamonHD]

It must be lovely to be without error like you, other than hiding behind AC to cast insults of course.

I *do* know what I'm doing, generally, and have the track record to show it, but the threat landscape has changed quite a lot recently. And because I don't assume myself to be perfect I was alive to the issue when it showed up, and responded quickly, which seems like the rational and responsible thing to do for us normal non-perfect people.

Rgds

Damon

Re:Use public DNS

[citizenr]

Interestingly Namebench opened Internet Explorer on my win8 box.
IE is NOT set as my default browser, Opera is. Is IE hardcoded in namebench?

This made me disable IE altogether :/

Re:Use public DNS

A good suggestion, though I wouldn't trust Google not to do the same or worse with their DNS.

Just goes to show, how little you know about what happens in the real world. Of the suggestions on the GPs list, Google is the only company with a clean record. The other's have a history of inserting their own IP address into replies, where it should not have been. Thus if you use any of those other mentioned DNS servers, you are subject to mitm attacks by the company whose DNS you are using.

At the time of writing all of them (except from Google) are hijacking NXDOMAIN. But the hijacking is not limited to only NXDOMAIN. Open DNS have a history of performing mitm attacks on high-profile domains that did actually have a legitimate A record.

Re:Use public DNS

[crutchy]

google is a charity, not a multinational for-profit corporation

and besides, with a motto like "don't be evil", how could you not trust them?

now i'm going to go play with the toys that i got off santa claus

Re: Use public DNS

[wonkey_monkey]

you can just run your own server and configure it with the roots. there is absolutely no
performance reason not to

Yeah! Let's all do that!

Re:Use public DNS

[cbiltcliffe]

Google's is very well behaved by the way, so please don't spread FUD.

Yeah, well we all thought the NSA was well-behaved. Look how that turned out.

"We all"? Who's this "we all" of which you speak?
Do you mean, prior to Snowden, you thought the NSA was well behaved?
That's a little naive.

While I didn't realize the extent they've gone, I certainly never expected them to be squeaky clean, by any means.
But then again, I'm neither blind-government-trusting, nor American, either.

Anyone, anyone , who implicitly trusts their government is just begging for trouble.

Re:Use public DNS

OpenDNS is a nxdomain hijacking bitch.

That's true. They used to be even worse. In the past they actually systematically performed mitm attacks on google.com. I don't know how Google convinced OpenDNS to stop doing that. But whatever Google said to OpenDNS, it must have been very convincing, because OpenDNS not only stopped their mitm against google.com, they also completely stopped hijacking NXDOMAIN for subdomains of google.com.

Judging from those facts I have knowledge about, it appears that Google is the only large and trustworthy DNS provider.

Re:Use public DNS

Other dns servers as well.

Cisco 128.107.241.185 192.135.250.69

I get timeout on both.
 
 

Verizon (Level3) Nameservers 4.2.2.1 4.2.2.2 4.2.2.3 4.2.2.4 4.2.2.5 4.2.2.6

Those look good.
 
 

SpeakEasy Nameservers 66.93.87.2 216.231.41.2 216.254.95.2 64.81.45.2 64.81.111.2 64.81.127.2 64.81.79.2 64.81.159.2 66.92.64.2 66.92.224.2 66.92.159.2 64.81.79.2 64.81.159.2 64.81.127.2 64.81.45.2 216.27.175.2 66.92.159.2 66.93.87.2

A few of those work, but most of those give timeout.
 
 

ORSC Public Access DNS Nameservers 199.166.24.253 199.166.27.253 199.166.28.10 199.166.29.3 199.166.31.3 195.117.6.25 204.57.55.100

Some gives timeout others give recursion denied.
 
 

Sprintlink General DNS 204.117.214.10 199.2.252.10 204.97.212.10

Those appear to work.
 
 

Comcast 75.75.75.75 75.75.75.76

One refuse queries and the other times out.
 
 

Never know when a server will be unreachable. It's nice to have a list saved locally you can lookup.

A shorter list of known good DNS servers is better than a long list where most of them are unusable.

(Sorry about the formatting, slashdot braindead validation required me to use fewer linebreaks.)

Re:Use public DNS

[wonkey_monkey]

It opened Firefox for me. Maybe Opera is your default for HTTP, but for some reason IE is your default for local .html files.

Re:Use public DNS

seriously you are suggesting someone concerned about abuse of information use a google DNS Server?

Why not? Google is the only large DNS provider, who has never been forging DNS responses.

Re:Use public DNS

Downside of using shared DNS servers is that some servers, like those for Sony's PSN, try to get you to download from servers based on your DNS server.

Why? I have no clue. However, it kills your connection speed until you reset it to your local ISP's DNS servers. Be wary.

Why shouldn't content providers try to send users to the closest server? It seems to me any other approach would be worse. You just have to make sure you choose a DNS provider close to your own network. Large providers like Google have anycast IP adressess with replicas throughout the world. So if you use 8.8.8.8 as your primary DNS resolver, content providers can still send you to a nearby server.

Sure it would be better to use anycast for the webserver as well. But using anycast for http is a lot more complicated than using anycast for DNS.

Re:Use public DNS

[Runaway1956]

I'm very sure that IE isn't coded into Namebench, in any way. You can check the source code here. https://code.google.com/p/namebench/downloads/detail?name=namebench-1.3.1-source.tgz

Re:Use public DNS

[arth1]

The privacy policy for Google Public DNS is different than that for the rest of Google. It's also public. You can, you know, read it, then you can stop spreading FUD

What the current policy is does not guarantee what the future policy will be.
(Never mind that the policy is overly broad and only pertains to the original data - it gives them access to do whatever they like with copies of the data, for as long as they like.)

Re:Use public DNS

[number17]

The privacy policy for Google Public DNS is different than that for the rest of Google. It's also public. You can, you know, read it, then you can stop spreading FUD. https://developers.google.com/speed/public-dns/privacy

That's like saying the NSA won't spy on you because the Constitution is public and you can read it.

Re:Use public DNS

[slashdime]

"I wouldn't trust Google" isn't FUD.

But "I wouldn't trust Google not to do the same or worse with their DNS" is.

Especially when presented with the evidence in the response. Their baseless accusation to inspire fear, uncertainty, and doubt with something google has done in a correct way (so far at least) is just that, baseless.

Your post to continue with this tinfoil asshattery despite seeing the evidence is begotten fud.

Re:Use public DNS

Unless you send your DNS requests through VPN.

Re:Use public DNS

Sub 1ms cached DNS responses from my ISP, from both primary and secondary. 3 hops away, including my Netgear router. Damn, I love Active Ethernet. My ISP will sell you a 30mb/30mb Active Fiber Ethernet Point-to-Point with dedicated bandwidth for $60/month unbundled. Don't ask about the 100/100 or 200/200 connections, they cost almost as much as a cell phone family data plan. Out of my reach.

Uncached is about 55ms, but that's about the same for nearly every other DNS server that I've tested.

USA! USA!

Re: Use public DNS

Fucking moron.

Re:Use public DNS

[citizenr]

That must be it, thanks.

Re:Use public DNS

[Bengie]

What he's saying is that some places determine the closest server by the single registered location of the DNS server. A few days back, I was getting routed to a CDN in Europe from the USA. Changed my DNS back to my ISP, problem "fixed", now going to Chicago.

Re:Use public DNS

[JWSmythe]

Ummm. That wasn't Santa. That was a fat guy in a red track suit, driving a red car. He's already reported the mugging to authorities. You may want to lay low.

Re:Use public DNS

[karnal]

Looks like they have 3 different sets. https://dns.norton.com/dnsweb/huConfigureRouter.do -- link shows up after clicking on home user; configure router etc. the 3 sets differ in that they attempt to help with malware, malware+pornography, and malware+porn+non-family-friendly. .10, .20, .30 for the last octet, respectively.

Re: Use public DNS

[DamonHD]

Back to your mom's basement, please, and keep the noise down.

Re:Use public DNS

[mysidia]

Google DNS is 8.8.8.8. and 8.8.4.4
Open DNS is 208.67.222.222 and 208.67.220.220

And when the ISP does this on their router facing you?

ip nat outside source static udp 8.8.8.8 53 [ISP's DNS Server IP 1] 53
ip nat outside source static udp 8.8.4.4 53 [ISP's DNS Server IP 2] 53
ip nat outside source list 140 dnspool
access-list 140 permit udp any any eq 53

Or (rough Linux equivalent)

iptables -t nat -A PREROUTING -p udp --dport 53 -d [ISP's DNS server IP 1] -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -d [ISP's DNS server IP 2] -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination [ISP's DNS Server IP 1]

Re:Use public DNS

[antdude]

Do you trust those domains for not watching you? :P

Re: Use public DNS

[Bengie]

Personally use 4.2.2.[1-6] I think they are provided by Level 3. Get great response time here in the Canadian Prairies.

I've never trusted my ISP's DNS servers.

Level 3 owns the entire 4.x.x.x /8. Almost ever IP address that starts with "4." is a Level 3 device. Some of L3's customers use some subnets of 4.x, but most L3 customers are enterprise, so they bring their own IP ranges.

Re:Use public DNS

[dj245]

If a DNS reply passes DNSSEC validation, I can be confident the response is what the zone administrator wanted it to be and it hasn't been tampered with. DNSCurve provides no such assurance.

Widespread DNSSEC and client-side validation would kill OpenDNS's business model, which revolves around tampering with DNS responses. DNSCurve continues to allow them to do this.

Their product is their business. Not everybody likes the same products. Putting cream and sugar in coffee is "tampering" to one person but value-added to another.

Re:Use public DNS

[novakreo]

How long ago was that? This is what I'm getting on my Telstra connection:

$ host ejhflqwkerhflkqwejrhflqkerh.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

Host ejhflqwkerhflkqwejrhflqkerh.com not found: 3(NXDOMAIN)

Re:Use public DNS

[K10W]

You can try this [google.com] tool to check your existing DNS for performance and behaviour. Google's is very well behaved by the way, so please don't spread FUD.

"I wouldn't trust Google" isn't FUD, it's common sense. Remember that you are not Google's customer. You are Google's product.

I do trust them; including trusting them to data mine the f**k out of everything since I'm a resource to them like you say not their client. I do however have split IDs so limit what I share and don't contaminate either. Even for the machine I use some of their services on I use another DNS (opendns), noscript/ghostery/flashcookie control blah blah all in palemoon. For stuff I'd rather not share it's all VPN and Tor with the unix browser bundle and zero google services. Even with the limit set on the google use machines it is amazing how accurate they profile me; I occasionally disable adblock etc to find they have ads for hobbies or recently purchased things etc based on the stuff I shared, if anything my approach cuts out the noise and makes me a more accurate profile but again none of the stuff I don't want linked is in that that I've seen and I'm happy to do what I have in return for "free" services in return for such details.

Re:Use public DNS

It isn't about forging responses. It is about them tracking you and selling your browsing habits. Especially when there are other Open DNS providers that are just as good and AREN'T selling your information.

Re:Use public DNS

[DigiShaman]

Oh hell no! I trust no one. Not even my own ISP or others I might choose. So I'm pretty much fucked right there. Oh well, carry on then.

Re:Use public DNS

[DeVilla]

Google hasn't (to my knowledge) black-bagged anyone....

I wasn't sure if that was true, but a google search turned up nothing. I guess you are right.

Re:Use public DNS

[Dabido]

Someone told me 127.0.0.1 was the best DNS server out there. I'll just change it on my computer now ...

DNSSEC

[tepples]

From the featured article: "There is currently no way to validate the DNS record you’re being served is what the person hosting the website intended." Apparently the author hasn't heard of DNSSEC.

Re:DNSSEC

Nobody actually uses DNSSEC, it's too much of a pain to work with because of issues like expiring certificates.

Re:DNSSEC

Whole lot of browsers and other end-user software have DNSSEC enabled, yah? What, no?

Oh...

Re:DNSSEC

[Nerdfest]

I've used DNSSEC for the last couple of years and haven't had any problems at all. It's also quite easy to set up, under Linux at least. I would assume other OS's are similar.

Re:DNSSEC

[SuricouRaven]

It's scheduled for widespread deployment some time between the domestic service rollout of IPv6 and the year of linux on the desktop.

Re:DNSSEC

[fredan]

please do tell us where the weakest link in DNSSEC are?

Re:DNSSEC

As well as technical stuff like IANA or RIPE, all the domains in .gov are DNSSEC protected, as are many .edu domains, and a small but growing proportion of other domains including those in .com. You can get a Firefox add-on that shows you whether the web site you're visiting has DNSSEC data and whether it checks out as OK. You will not be surprised (if you've been here a while) to learn that Slashdot doesn't have DNSSEC.

IPv6 deployment took all the way until 2012 to hit 1%, reached 2% in September 2013, it's almost 3% now. That's from Google's numbers, they count how many users of Google search are on IPv6 vs IPv4 and provide daily statistics. I'd guess 10% penetration will happen some time in 2015, which just isn't that far away.

And Linux skipped the desktop and went straight to the millions of phones and tablets where it's kicking Microsoft and Apple's backsides.

Re:DNSSEC

[Bengie]

IPv6 traffic has been doubling year over year for the past 3 years, but total traffic has also been growing quite rapidly, so it makes IPv6 growth seem less.

Re:DNSSEC

[kasperd]

It's scheduled for widespread deployment some time between the domestic service rollout of IPv6 and the year of linux on the desktop.

Some of the IPv6 transition mechanisms are incompatible with DNSSEC. Because of the potential problems caused by that, I think it is a good idea to focus on IPv6 deployment now and start focusing on DNSSEC once you have gotten so far with IPv6 deployment, that you have resources to spare.

Additionally IPv6 can improve the security of DNS lookups, even if you are not using DNSSEC. Simply allocate an entire /64 for recursive resolvers and use a random client IP address when sending queries to authoritative servers. With that one trick you have more than doubled the amount of entropy in the request and thus made cache poisoning much harder. (DNSSEC is of course still relevant because it protects against other classes of attacks as well.)

Finally, I think DNSSEC is not entirely ready for deployment yet. I think DNSSEC need a challenge-response protocol, that can be used as counter measure against amplification attacks. For me that is just another reason to put off DNSSEC deployment a little bit longer.

Considering that IPv6 deployment is at a level that should have been reached 13 years ago, I think moving ahead with IPv6 is more urgent than deploying DNSSEC.

Not wireless

(It was also the only wireless provider in his area, so he couldn't just switch to a competitor.)

No, the blog says:

You may be asking why don’t I switch ISPs? Well they are the only one besides a wireless provider in my area.

Which means there are 2 ISPs. The one he's using is not wireless, and the other one is wireless.

Re:Not wireless

Good correction.

Re:Not wireless

(It was also the only wireless provider in his area, so he couldn't just switch to a competitor.)

No, the blog says:

You may be asking why don’t I switch ISPs? Well they are the only one besides a wireless provider in my area.

Which means there are 2 ISPs. The one he's using is not wireless, and the other one is wireless.

Which could basically mean that one ISP is viable, and one is not. Obviously there is a reason he did not switch providers, and instead went through quite a bit to have his current provider correct things.

Just because you may have some other choice in your area doesn't mean it's a viable one for your needs. If I had a choice between a 50Mb fiber link and going back to a 3Mb DSL link, you better believe I'd be bitching instead of switching.

Re:Not wireless

[tysonedwards]

In all likelihood, he probably had the choice of four Satellite internet providers, and possibly even some Cellular ones too.

That's not to say that if he caught DNS Injection that he would likely be happy with the service.

Re:Not wireless

[FuzzNugget]

OK, so it means it was less of a pain to fight his dirt bag ISP than to switch to the one that is inherently shitty.

Yes, that's how shitty wireless ISPs are.

Re:Not wireless

[del_diablo]

Its sort of obvious. Wireless one could be 2G with extensions. You know what? Browsing internet on that would be slow, but it works if it where not for one major problem: Packet drops. With a guaranteed 20% packet drop(if not more), its painful to use. And with such a low speed, its even worse. It would be unable to even browse slashdot properly.

Which ISP?

[jones_supa]

Name of the ISP please?

Re:Which ISP?

"Then I noticed one of the affiliate’s name was Arvig, which happens to be my ISP."

Re:Which ISP?

Arvig (in the article)

Re:Which ISP?

[Crudely_Indecent]

FTA: Arvig

what a stupid fuck

he should NOT have responded back to the ISP with details of his actions (reporting the hidden redirects to retailers and affiliate networks); the first seven words of last sentence was enough. then left it up to THEM (by way of termination of affiliate accounts, denial of commission payments, etc) to make this "service" and the party company the ISP deals with worthless due to lack of participating merchants and affiliate networks. if the ISP kept the revenue stream but later removes the alternate (clean) name servers, or does not disclose the practice of DNS redirect, THEN take a more aggressive stance, including contact with the state ag and puc.. with the final 'nuclear' option being becoming an affiliate of an affected merchant or merchants, and then filing a lawsuit against the ISP, and the company they contract the service from, for fucking up his own affiliate links.

A company with little big man syndrome

Being from the part of Minnesota that Arvig is based in, I can tell ya, this behavior is very typical of them.

When I had gotten set up upon moving into the area, the install tech bragged how all the homes (over 200 of them) on this part of town were all connected on 1 cable loop. It was a heads up from the tech that I should have paid attention to. I ended up cancelling my service early due to a consistent 1mb down every Friday and Saturday when I was paying for 10mb. Customer service actually said "we guarantee up to 10mb" "10mb is the maximum you will get"

So many have switched over to 4g hotspots, they actually cut the offices hours here.

Public DNS considered harmful

[kriston]

Saw this in Reddit this morning but thanks for reposting it.

Seriously, the drawback to using public DNS like OpenDNS and Google DNS is that they present a serious performance problem.

Even though the physical DNS servers are "anycast" and geographically diverse, the IP addresses are still the same. Threrefore, the large content delivery networks (CDNs) like Akamai and LimeLight still use the IP address of the DNS server to judge your location.

Therefore, any service that uses a CDN (even Google's use them in spite of their own network) will really serve your content out of a data center that is not geographically or logically near your machine's location.

The article (if you read it) mentions that his ISP, like most that have similar revenue-extracting services, really does offer alternative DNS servers that do not pack affiliate cookies. You should use those if you want to enjoy high-performance, edge-serve content via Akamai (AKAM) and LimeLight (LLNW).

Otherwise, you'll all get your edge content served from some random data center in the central USA.

Re:Public DNS considered harmful

Fairly sure I read /. comment saying this is a solved problem.

Re:Public DNS considered harmful

[jd2112]

>

Otherwise, you'll all get your edge content served from some random data center in the central USA.

Unless you happen to be in central USA, in which case content will be served from a server somewhere near Timbuctu.

Re:Public DNS considered harmful

[MarkRose]

In my experience, using public DNS has solved far more problems. Quite often ISP DNS servers are slower to respond, do nasty things like wildcard unresolvable addresses to some dumb search page, and, as you mention, cause CDN requests to be directed to overloaded and bandwidth starved edge servers (and the YouTube CDN in particular when the ISP has its own video service...).

Re:Public DNS considered harmful

[drmofe]

I commented on the reddit thread in the same vein as you and got downvoted. So I did some research. Several contributors to that thread suggest that Google DNS has solved the CDN problem by adding and original IP field that the CDN can use to geolocate the subscriber. This is due to Google implementing edns-client-subnet EDNS0 extensions as of late-2011.

Re:Public DNS considered harmful

[kriston]

Yes, that is, if the CDN has also implemented EDNS0 extensions, which some have not.

Thanks for the info!

Re:Public DNS considered harmful

[kriston]

For public wireless networks, there is a popular solution to extract revenue, aptly named the Revenue eXtraction Gateway, or rXg, by http://www.rgnets.com/. It explicitly and effectively works by filtering content and inserting advertisements along with the usual wireless gateway tricks.

This is an honest revenue extraction service and, while it can be done at the ISP level, it does not pack affiliate cookies. It's probably one of the more legitimate ones available. It does require a significant back-end infrastructure to support its operations, though, which may or may not cover expenses.

Re:Public DNS considered harmful

[Bert64]

Or even from a local one which just happens to be heavily overloaded due to serving content to thousands of far away users.

Re:Public DNS considered harmful

[kasperd]

Even though the physical DNS servers are "anycast" and geographically diverse, the IP addresses are still the same. Threrefore, the large content delivery networks (CDNs) like Akamai and LimeLight still use the IP address of the DNS server to judge your location.

Let's get this misunderstanding sorted out. Because that sentence is indeed describing a non-existent problem. In reality anycast DNS is not part of the problem, it is part of the solution.

Anycast DNS works by having a large number of resolvers spread throughout the world with the same IP address on each of them. A request from a client to this IP will reach the closest of those resolvers. What happens next is that the resolver will query authoritative servers (unless it already has a cached result). If the request from the resolver to the authoritative server was send using the anycast IP as source IP, it would not work. The reason it would not work is, that the reply from the authoritative server would be sent to the closest resolver, which is not necessarily the same as the one, which is closest to the client. You'd have most replies end up at the wrong resolver, which would simply discard it, as it would look like a failed poisoning attempt.

In order to solve that problem you have to give each of those resolvers two IP addresses. It will have the anycast IP address (which is the same on all servers in the pool) and a unicast IP address, which is different on each of those resolvers. The client will still use the anycast IP in order to send a query to the resolver, but the resolver will then use its unicast IP when sending the request to the authoritative server. That way the reply from the authoritative server will make it back to the correct resolver.

Incidentally this also solves the geolocation problem mentioned. The authoritative servers will indeed see different IP addresses depending on which resolver in the pool the request came through. The content providers just have to figure out the geographic location of each of those resolvers, which is mostly the same they have to do for the resolvers for any ISP. Additionally providers of resolvers such as Google do have an incentive to make this easy to figure out, since that will make their resolvers provide a faster overall experience.

The above is of course slightly simplified, because any well operated resolver is dual stack. That means it need both IPv4 and IPv6 addresses. The anycast addresses can be separate pools such that each resolver has only one anycast address, which is either IPv4 or IPv6. Alternatively you can let one resolver be part of one IPv4 anycast pool and of one IPv6 anycast pool. However the unicast side of these resolvers need to be dual stack, so each resolver needs at least two unicast addresses, one IPv4 and one IPv6.

You could even assign multiple unicast addresses to each resolver. The extra addresses could be used to provide additional protection against poisoning. An attack would then have to not only guess a request ID and port number, but also the IP address. Alas that is really not feasible with IPv4 due to shortage of addresses, but for IPv6 you could easily affort a /64 for each resolver.

If you want to know the IPv6 unicast address of the resolver you are currently using, I have a special domain for that. If you look up the AAAA record for the domain mydnsv6.kasperd.net, it will actually respond with the IPv6 unicast address of the resolver you are using (or server error if the resolver has no IPv6 address). I could have made an identical service to find the IPv4 unicast address of the resolver, but I didn't have a spare IPv4 address to host the authoritative server on.

Re:Public DNS considered harmful

[tomstorey]

Except that is slightly wrong.

Sure, they all share the same anycast IP address, but they also all need to be uniquely addressable too (at the very lease for management purposes). Otherwise how does an anycast server perform any kind of look up to an external server and guarantee that it will get the response back?

If an anycast DNS resolver sent out a request to resolve an IP from an authoritative server on the other side of the country and soured it from its anycast address, how does that authoritative DNS server know that it shouldnt just send the response to its nearest anycast neighbor?

As long as an individual providers anycast servers are sufficiently dense then you probably cant beat them for location correctness.

Re:Public DNS considered harmful

Fairly sure I read /. comment saying this is a solved problem.

Almost correct. In fact it is a non-existent problem. The thing is, the authoritative DNS servers need to know where to send their reply to. Once you have taken care of that, the information needed for geolocation is already available to the authoritative DNS server.

Three words

[aaarrrgggh]

VPN.

Not much else you can do.

Re:Three words

[rubycodez]

your vpn is going to have another end, which could have the same problems as your end

Re:Three words

[Decker-Mage]

your vpn is going to have another end, which could have the same problems as your end

Really depends on if and how your VPN handles DNS leakage. As always, caveat emptor. I picked mine on the basis that I had a choice of whether and how it was handled before I paid.

Ya Free Market!

A whole 2 ISPs to choose from, only one of which offers wireless! Obviously a problem of too much choice http://www.economist.com/node/17723028

Re:Ya Free Market!

good fer you, I only have one choice. I hate Comcast.

Re:Ya Free Market!

[tysonedwards]

There are plenty of people out there (myself included) who wish they could get Comcast. Satellite sucks...

Illegal behavior

[WaffleMonster]

It would have been better to contact FBI and report this fraud. Whoever the hell runs fwdsnp.com needs to spend some time in jail.

Re:Illegal behavior

[eladts]

It would have been better to contact FBI and report this fraud. Whoever the hell runs fwdsnp.com needs to spend some time in jail.

This isn't just plain fraud, it's wire fraud. The penalty for it is up to 20 years in prison.

Re:Illegal behavior

I think you are confused.

It was a CORPORATION that was scamming money out of affiliate links, so everything is A-OK!

Of course, we punish the little people for exactly the same thing:

http://www.justice.gov/usao/can/news/2012/2012_06_19_kennedy.sentenced.press.html

Re:Illegal behavior

I think you are confused.

It was a CORPORATION that was scamming money out of affiliate links, so everything is A-OK!

Of course, we punish the little people for exactly the same thing:

http://www.justice.gov/usao/can/news/2012/2012_06_19_kennedy.sentenced.press.html

As opposed to getting caught for shoplifting at Big Box or breaking into a parking meter; at least a couple of years in prison.

DNSJumper

[Guy+From+V]

Do a search for "DNSjumper". It's a great little tool that lets one well...uh...jump around various DNS servers and arrange them in any order you want, ping them much easier and more often and makes it comfortable to change one or all if you feel your current list isn't to your liking. (I'm not sure of the author's or company's official website, so I don't want to push one source over another).

Blow by DNS issues, thus (easily)

Completely in YOUR control (see "B" below): Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant browser addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st net resolver queried w\ 45++ yrs.of optimization):

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

(Details of hosts' benefits enumerated in link)

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google/Crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44701775

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comments.pl?sid=3985079&cid=44310431 w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious domains serving mal-content + block spam/phish), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* Addons are more complex + slowup browsers in message passing (use a few concurrently - you'll see) Addons slowdown SLOWER usermode browsers layering on MORE: I work w/ what you have in kernelmode, via hosts ( A tightly integrated PART of the IP stack itself )

APK

P.S.=> * "A fool makes things bigger + more complex: It takes a touch of genius & a lot of courage to move in the opposite direction." - Einstein

** "Less is more" = GOOD engineering!

*** "The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

...apk

Re:Blow by DNS issues, thus (easily)

Please hang yourself.

P2P DNS

[staalmannen]

Is any of the P2P DNS solutions (and which one?) a viable alternative to the Google DNS or OpenDNS? Does anyone have experiences that they would like to share?

Re:Repost!

[228e2]

I think I read 75% of the things here elsewhere around a day in advance.
Slashdot isn't (well, in its prime) where you come for breaking news, it's where you go (again, back in its prime) for great intellectual technological discussions.

Opt in.

I agree this is pretty scummy to do by default but I personally wouldn't have a problem opting in to something like this. Imagine if by signing up you could get dirt cheap (or free) internet in exchange. Sounds like a good deal.

Re:Opt in.

[jpatters]

I don't think the online retailers would agree. The ISP is doing nothing to promote specific items or online stores, so why should the online stores subsidize your internet connection?

At least they can fucking run one

[gman003]

I'm in a worse situation - my apartment complex signed a deal with a certain niche ISP by the extremely vague name of "Telcom", to provide internet at a fixed rate (the base package is part of my rent, so I don't even know what they're charging). While we're officially allowed to buy our own if we so choose, a) I'd still be paying Telcom for their TV/Phone/Internet deal, and b) not a single other ISP is actually offering anything to this apartment. Every building bordering it, sure, but even in the months-long hiatus where Telcom couldn't get the building hooked up but the deal had been made, nobody would give me service.

A few months ago, there was a peculiar outage. They have glitches every so often where the connection dies for an hour or so, so I didn't think much of it until I realized Bittorrent was still downloading. A few more investigations showed that pings by IP worked, but not by hostname - but never with an actual DNS error. I didn't bother investigating further, and just set my DNS server to 8.8.8.8 because that was all I could remember off the top of my head. I now suspect they may have been trying to implement something like this, because that's just the kind of scummy move they'd do.

I started keeping track of their uptime last month. By my numbers, they got one nine of reliability - 90% uptime.

I'd switch in a heartbeat as soon as anyone dared to sell me anything else.

Re:At least they can fucking run one

Hate to break it to ya, but there are tons of explanations for fucked up DNS besides malice, and it sounds like you have some fly by night service provider, so... it's not terribly surprising.

Re:At least they can fucking run one

[mgcarley]

Out of interest, where are you based? We're getting things started in the midwest right now...

Re:Repost!

[ArchieBunker]

Most of the "news" on here is days or even weeks old by the time its posted. I remember when sites actually linked to slashdot for news.

ISP can still hijack you

[real+gumby]

Your ISP can still spoof the DNS responses. That's what hotels do.

But assuming they don't, no reason not to just run your own cacheing DNS resolver on your local network. It's very easy to do and might even be faster than third parties like GOOG, OpenDNS or Nominum. Certainly faster for people who determine your location via DNS resolver address.

(That Hiroku article is bizarre. Tip: "root domain" means something different. You can put a CNAME on any name. And why would one sort require hard coding your IP address???)

What's the problem here?

[Bazman]

From the article: he goes to amazon.com, it returns the IP for the proxy, and eventually a redirect to www.amazon.com/?affiliate=id

How does that affect the user? Do they see a different page than if they'd gone straight to www.amazon.com? Or is it just that the affiliate gets a cut if the user buys anything from amazon at that point? Who loses out here? Other affiliates who aren't in the program?

Re:What's the problem here?

It's against the Amazon terms of service. Proper affiliate usage involves an approved-by-Amazon *web page* run by 1 affiliate member, with properly formatted links on it.

You can't just secretly add affiliate links to everything, like the ISP in the article was doing!

Who loses? Amazon loses. It's theft of money from them by shysters.

Re:What's the problem here?

Whoa. This has to be one of the dumbest moments on slashdot. Are you sure you are not an editor?

Re:What's the problem here?

[Bazman]

Nobody has answered the questions I posed. Does the user see an even slightly different page? Do they get different prices on stuff on the site? Who are these affiliates?

I could understand if amazon.com was being redirected to a rival company, or if (as some ISPs have done) typos and invalid DNS entries got redirected to a page stuffed with advertising.

Excuse me if I don't understand this aspect of Amazon's trading practice - but then you are probably sitting in your mom's basement spending her money on Amazon all day long. Okay now we're even.

Therefore more Google = less tracking

[raymorris]

> It's not good enough that they track you at every site that uses Analytics,
> every site that uses AdWords, every site you go to from their search engine,
> every site you visit with their Toolbar in play. (I'm forgetting a hundred other ways they suck your data.)

Factoring in a few of the other ways you didn't list, like sites with YouTube videos, we can guess Google is aware of about 85% of consumer web traffic. Using their DNS would tell them the only the hostname of the other 15%, and only once per TTL. So call that 7% from using Google's DNS.

Using anyone else's DNS gives that other company 100% of your lookups rather than the 0% they had before. 100% is a lot more than 7% or 15%, so you're giving up a lot more privacy by using any DNS other than Google.

In other words, Google already knows which sites you're visiting - you got to those sites by searching Google. Why would you also give that information to some other company?

That was my thought process after I found that Chrome is so good for web development. I'm using Chrome, so Google has a profile of my web surfing. There is no reason to let another company have the same information, so I'm better off using Google services all around. (Besides the fact that Google provides good services, which get better as they are integrated.)

Re:Therefore more Google = less tracking

In other words, Google already knows which sites you're visiting

No, they don't; I block all that garbage and never use any of Google's trash.

Both Amazon and other affiliates

[dutchwhizzman]

First of all, Amazon doesn't get a very high percentage of affiliate tagged traffic/purchases. If every ISP would do this, it would get 100% and the whole business model wouldn't work any more. Amazon would have to pay out way too many affiliate bonuses. Second, any affiliate that the user might choose, would lose out because their tag would get replaced by that of the ISP.

Net Neutrality Legislation

[dutchwhizzman]

I don't know what the exact laws on net neutrality is where this happened. However, if an ISP were to do this in the Netherlands, they would get hit with fraud, net neutrality and "criminal organization" charges. You'd have to have some pretty good lawyers to be able to stay in business at all

Tell you what, effete troll

WHEN you can prove my points wrong validly? I *might* think about it (however, I know damn WELL you can't... & of course, so do you).

* :)

YOU? Fail... lol!

APK

P.S.=> Seriously - how PITIFUL of a troll are you? Reduced to downmodding my post by logging out of your registered luser account after doing so, & trolling me by AC posts afterwards?? Please - YOU ought to take your own advice...

... apk

Re:Tell you what, effete troll

Different AC here. You got down-modded for several reasons. First, your improper capitalization, poor spelling and poor grammar makes your post look like a troll right off the bat. It also looks like it was posted to multiple stories, which from a quick Google search, turns out to be true. Next, the hosts file lacks the finesse of ad-blocking in the browser. It only blocks an entire domain and can't block a directory or file within a domain. When a domain is blocked, it has to go somewhere. Sending it to 127.0.01 may result in a timeout, which is SLOW! Some pages can't render until the whole page is loaded. Finally, DNS was invented for a reason. Before DNS, the Internet did use one massive hosts file that was copied around from machine to machine. DNS solves a lot of problems, such as load balancing and it changing a server's IP (such as by moving it to a new hosting platform), and quite a few more.

To pick out a few points:
"more than AdBlock": AdBlock can block http://www.example.com/banners/.* without blocking http://www.example.com/login.php Hosts files cannot.
"more than Ghostery": This is a close one. The best I can come up with is that Ghostery is easier to update and maintain.
"Request Policy": Request Policy detects "unwanted behaviour" rather than being a strict whitelist/blacklist. A hosts file cannot even come close to doing this.
"reliability vs. downed or redirected DNS": True, although you lose reliability if a server you are trying to contact changes IPs and your hosts file is out of date.
"secure vs. known malicious domains": True, although maintenance and slow updates will kill you.
"more speed" "blocks ads": Not if you get a timeout that prevents the page from rendering.
"more speed" "hardcodes fav": Hardcoded IPs lose out on DNS based load balancing.

(I'm not replying to the rest of the points because I got bored with it. Don't expect a reply from me, just passing through.)

All missing the point The real question is

Did will the isp renew his contract now knowing he is 'trouble'?

All bow and worship before the magical hand for the free market.

Fraud

[MrL0G1C]

To be clear, the ISP has committed a criminal act (fraud), it is obtaining financial gain by deception - the concealment of the fact that no person willingly used an affiliate link.

I think that if they weren't prosecuted then they committed a crime and got away with it. The victims being the retailers and any legitimate affiliates who lost out (if that is the case).

Re:Repost!

[MrBingoBoingo]

Well, I like to use Slashdot as a filter to make sure I didn't miss anything. It may not post the fastest, but generally it covers most things.

Measure that DNS performance!

[bgarcia]

I used DNS Benchmark to determine the best performing public DNS servers for my home network. Interestingly, it turned out to be neither my ISP's nor Google's public servers.

There appears to now be a similar, open-source DNS benchmarking program available: namebench. I haven't tried it out, but it looks promising.

What exactly happened?

Am i the only one who does not understand what exactly happened here? They add some id to the url, what value exactly does this add to the ISP? What is an affiliate id? Why were the retailers pissed off? I don't understand the business of this.

Re:What exactly happened?

[NormalVisual]

Affiliate programs are a form of advertising that work by giving you an ID that you add to the URL of a link on your server to a particular seller's site (Amazon, etc.). This ID allows the seller to determine which affiliate drove that click to their site, and the affiliate (the ISP in this case) is paid a fee for sending that click to them. What's happening here is that the ISP is taking the initial DNS request and doing a redirect to a URL that includes their affiliate ID for vendor sites they participate in affiliate programs, but they're doing it for *all* DNS requests for those sites, not merely in response to clicking the advertising links provided by the seller.

For instance, Amazon offers page banners for their affiliates to post on their own sites that contain links to products you might be interested in, and if you click one of those links, whoever is hosting the banner will get paid for that click based on the affiliate ID contained in the links in the banner. In this case, if you just enter "www.amazon.com" in your browser, the ISP is adding an affiliate ID to the redirected URL your browser is given, so the ISP is being paid by Amazon, who thinks that someone clicked on one of their ads even though the ISP didn't display a banner or otherwise perform the service that Amazon is paying for. The ISP is exploiting the trust that the seller is extending to their affiliates in order to get paid more than they're entitled to, and they're basically stealing money from the seller for advertising that was never provided.

Re:What exactly happened?

[hey!]

Short, simplistic answer: the ISP found a way to fraudulently skim a percentage from online retailers for every purchase made by the ISP customers.

Slightly more detailed answer: the ISP directed users looking for online merchants like "amazon.com" to it's own bogus server. That bogus server then re-directs the user's browser to the merchant's server in such a way the consumer doesn't notice and the merchant thinks the customer is following a product referral from an advertising partner. Thus the ISP collects a kickback intended for people who make product recommendations and referrals, without actually having made any recommendation or referral.

Re:What exactly happened?

Thanks for the explanation

This is incorrect

CDN's don't base the DNS server you use as the basis for decided where to serve content,

*they base it on the destination IP address (i.e. your computer)*

They couldn't use DNS servers simply because large ISP's like AT&T or Comcast all use the same DNS server IP addresses.

Re:This is incorrect

[FeriteCore]

CDN's don't base the DNS server you use as the basis for decided where to serve content, *they base it on the destination IP address (i.e. your computer)* They couldn't use DNS servers simply because large ISP's like AT&T or Comcast all use the same DNS server IP addresses.

Furthermore, how would they ever get the identity of the domain server your system uses during the three-way handshake? If they can, please tell us how. I'd really like to know.

Re:This is incorrect

So they send the content from a different server than the one you contacted? How does that work?

I thought the trick is that the name resolves to a server close to you (that's where the DNS enters), and therefore you contact that one.

Re:This is incorrect

[kriston]

The CDN just sends you to the edge servers that are closest peer to the DNS server. I thought there was a very elaborate geolocation scheme, but there is not. They merely use the location of the DNS server that resolves your query.

I was so disappointed. There is no magic. They do not know nor care about the end user's IP address. The CDN just sends you to the edge servers that are closest peer to the DNS server. Certain companies actually seem to own patents on this simple technique.

They did WHAT?

[Porchroof]

I read the first couple of paragraphs at the link given and I still do NOT know what the ISP did.

Re:They did WHAT?

They (a) caused their customers, by giving back wrong DNS results, to initially go to their own (i.e. the ISP's) servers instead of the servers the customers intended to, and (b) used this to steal money from online retailers through misuse of their affiliation programs.

Re:Repost!

[rroman]

How is it possible, that this post was modded Funny? Slashdot is exactly what this post describes. Slashdot is mainly great because of great comments and well done comment rating system.

Re:Repost!

[realityimpaired]

It's funny, because the great comment/discussion you're talking about has been going downhill for a very long time. Just look at the first post on this topic, for a case in point.

Re:Repost!

Sure, if by "great" you mean "above tabloids".
Don't get me wrong. The comments ARE the primary reason to come here, but let's not kid ourselves. Sturgeon's law is well and alive here.

Vote with your feet

[tepples]

Anyone can get Comcast. I imagine you might be unwilling to do what it takes, namely to move into Comcast's service area. (References: move; ; move)

Re:Vote with your feet

Anyone can get Comcast.

I strongly doubt that. Here's a probably incomplete list of people I'm pretty sure cannot get Comcast:

* People who are in jail.
* People who live in a country where Comcast doesn't offer service (I guess that's every country except USA, but I may be wrong about that), and can't, for whatever reason, move into a country where Comcast does offer service.

Captcha: pitfalls

Re:Repost!

If it's going downhill, it's because of people like you claiming it's going downhill. Congrats, you're the problem.

Re:Repost!

Only reason I'm looking at it is because I browse at -1. So looks to be functioning just fine.

Or foreign counterparts

[tepples]

I admit that my comment was not perfectly rigorous. Category 1 can't read my assertion anyway, and category 2 can be fixed by adding "or foreign counterparts" where appropriate.

~20 things hosts do addons + dns fail

For added speed, security, reliability, & anonymity (i.e. -> ubiquitous versatility vs. INTENTIONALLY default crippled functionality):

1.) They don't block rogue DNS malware makers use - hosts do.
2.) They don't block known sites/servers of malware/malicious scripts - hosts do.
3.) They don't speed up FAVORITE sites - hosts do
4.) They ONLY work on Mozilla products (browser/email), hosts work on ANY webbound app & multiplatform.
5.) They can't protect external to FireFox email programs, hosts do (OUTLOOK, Eudora, etc.)
6.) They can't blow past DNSBL's - hosts do.
7.) They can't avoid DNS requestlogs - hosts do.
8.) They can't protect vs. DOWNED or "DNS-poisoned" redirected DNS servers - hosts do.
9.) They don't protect vs. "FastFlux" botnets - hosts do
10.) Hosts = EASIER to self-manage: Textfile edit!
11.) Hosts operate LONG before REDUNDANT plugins (& ON MORE + do more)
12.) Plugins slowdown browsers (a message passing fact) - Stack a few up & see. Hosts, don't + operate in a far faster ring of privelege operation (ring 0/rpl 0/kernelmode, not slower ring 3/rpl 3/usermode as browsers & their addons do) starting up w\ OS + IP stack.

---

(This isn't "english class": That's off-topic + bs "you're a diff. ac". You're can't validly disprove me)

* You're outnumbered ~ 20++:1 - "Run, Forrest: RUN!!!" (as this tears your bs up).

APK

P.S.=> YOUR "points" = shot down (& agree w/ mine so "you're bored" = You're beaten):

A.) My hosts file = NEVER "out of date" due to my program!

B.) AdBlock doesn't block all ads by default

C.) Ghostery + AdBlock's = advertiser OWNED foxes in a henhouse & crippled + LIMITED vs. hosts

D.) "Finesse" != regexp (harder) vs. hosts file line edits (easy).

E.) RequestPolicy = limited vs. hosts per my last posts' links (& all 3 are limited or crippled + advertiser funded),

F.) Ads blocking a page? That holds down redundant limited addons too (webbug)

G.) + DNS = LOADED w/ bugs & flaws hosts overcome (with less complexity)...

...apk

Re:~20 things hosts do addons + dns fail

I'm confused. There wasn't a single mention of TimeCube anywhere in this post, yet it looks like it was ripped right off the site!

Re:Repost!

Question:
How is it possible, that this post was modded Funny?
Answer:
Slashdot is mainly great because of well done comment rating system.

Re:Repost!

[rroman]

Lol, this one should have been modded funny.

HTTPS is still subscriber-only

[tepples]

You will not be surprised (if you've been here a while) to learn that Slashdot doesn't have DNSSEC.

I'm not surprised in the least, given that Slashdot offers HTTPS protection of the session cookie only to subscribers.

You can't validly disprove my points

On a technical level that are in favor of hosts vs. DNS &/or AdBlock http://news.slashdot.org/comments.pl?sid=4616529&cid=45838921

* :)

(That means you FAIL, troll... period)

APK

P.S.=> However, I certainly DUSTED yours in my p.s. there as well, easily... & you're just MAKING me have to say you (you know that, don't you?):

THIS? This was just "too, Too, TOO EASY - just '2ez'" - & it always IS (especially vs. technically weak trolls such as yourself)...

... apk