Canadian ISP Hijacking DNS Lookup Errors

Freshly Exhumed tips us to news that Canadian ISP Rogers Cable appears to be redirecting invalid DNS requests to their own search and advertising page. Roadrunner got caught doing the same thing earlier this year. According to the article, "The hijacking appears to be an attempt by Rogers to use its Deep Packet Inspection (DPI) technology to cash in on the mistakes of its users." Freshly Exhumed also reminds us, "As IOActive security researcher Dan Kaminsky has warned in the past, this presents a very serious security problem."

Good Grief

[MightyMartian (840721)]

I know one problem it can cause is for a number of spam tests which look for the message coming from a legitimate domain. When the DNS server says "yup, that resolves" even when there's actually no domain, the test is defeated.

Re:Good Grief

[PunkOfLinux (870955)]

What the hell? Verizon is doing this now, too. Whenever I type in 'slashdot' in firefox, it just takes me to their useless search page, which is getting REALLY old now. I'm getting pretty disgusted now, and they should get it through their thick heads that if they're gonna charge us money for 'net access, they have NO right to make more money off of us by selling ads instead of allowing our browsers to function as expected.

Re:Good Grief

[by Anonymous Coward]

Verizon has been doing this for a while. I read the Terms of Service, Acceptable Use Policy, etc. every time they update it. It's clearly there, disguised as a 'feature' called DNS Assistance.

However, Verizon does have non-poisoned DNS servers which you can find in their Help pages, along with instructions for changing your machine's settings. http://netservices.verizon.net/portal/link/help/item&objId=23883 [verizon.net]

Re:Good Grief

[dosius (230542)]

They tried to get me to use their poisoned servers, and as soon as I found out (btw, they DO report nxdomain, along with their error handling servers), I went back to the old ones.

The poisoned ones were 68.237.161.12 (nsnyny01.verizon.net) and 71.250.0.12 (nsnwrk01.verizon.net), and the unpoisoned ones are 151.202.0.85 and 151.203.0.85.

-uso.

Re:Good Grief

[c_g_hills (110430)]

Verizon's non-poisoned dns servers are vulnerable to the newly discovered dns vulnerability. Shout at them!

151.202.0.85 is POOR: 26 queries in 2.1 seconds from 22 ports with std dev 19.03

151.203.0.85 is POOR: 26 queries in 2.4 seconds from 22 ports with std dev 15.08

Check for your self using `dig porttest.dns-oarc.net. in txt`

Re:Good Grief

[by Anonymous Coward]

4.2.2.1
4.2.2.2

Re:

[bconway (63464)]

Worse.

$ dig +short porttest.dns-oarc.net TXT @4.2.2.1
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"209.244.7.40 is POOR: 26 queries in 2.0 seconds from 1 ports with std dev 0.00"

$ dig +short porttest.dns-oarc.net TXT @4.2.2.2
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"209.244.7.34 is POOR: 26 queries in 1.9 seconds from 1 ports with std dev 0.00"

Re:

[superphreak (785821)]

http://www.opendns.com [opendns.com]?

Re:Run your own

[CustomDesigned (250089)]

opendns.com does the very mangling I want to avoid and calls it a feature. At least they tell you they are doing it, and use it for stuff that could benefit end users (filtering allowed site names) as well as their own advertising. But it doesn't solve the problem. It is just a more "open" and up front version of the problem.

Re:

[m0i (192134)]

opendns.com does the very mangling I want to avoid and calls it a feature. At least they tell you they are doing it, and use it for stuff that could benefit end users (filtering allowed site names) as well as their own advertising. But it doesn't solve the problem. It is just a more "open" and up front version of the problem.

Just turn it off (feature called 'typo correction') and you have a rock solid/bug fixed open dns :)

The Verizon Annoyance...

[flajann (658201)]

You can "opt out" of the Verizon annoyance by modifying your DNS address by adding "2" to the last octet.

I've had to do this, and it works. No annoying Verizon snatching my failed DNS lookups!

Of course, if you try to get this out of their so-called "tech support", they will not know what you're asking for until you manage to get down to tier 2 or 3 or so. Amazing as it sounds, teir-one Verizon Fios tech support will glaze over at the mere mention of DNS, and will stupidly keep trying to get you to do inane things with your browser.

Re:

[code65536 (302481)]

Unfortunately, this is possible only for their PPPoE users. Customers outside of their northeast service area don't use PPPoE, and it's not possible to change the DNS servers in these non-PPPoE cases with the routers supplied by Verizon. >:(

Re:

[Constantine XVI (880691)]

Change your DNS servers. 4.2.2.1 through 4.2.2.6 are known clean DNS servers. Most routers will let you change your DNS servers for your entire network.

Re:Good Grief

[c_g_hills (110430)]

According to Paul Vixie, Level3 operators have said that they plan to restrict access to these servers in future to customers only, so make sure you have an alternative available!

Re:

[rs79 (71822)]

Yeah, Paul's big on DNS "Alternatives". Not.

Hughes does this too now with their sat service. Never mind I use my own dns servers, their "transparent" web proxy does it's own dns and ignores the ones you use. Just for web.

That is, I can FTP to say, "free.tibet" but if I try for that web page I get a hughes/yahoo thing that says "did you mean..." (no, I did't you asswipe) Grrrrrrrrrr.

Vixie of course, invented the "transparent web proxy" to "get around" the "problem" of people using non-iana roots to get at we

Re:

[aztektum (170569)]

I switched over to using OpenDNS with my Linksys router and I get redirected to their fancy advert pages when I mistype something as well.

Re:Good Grief

[Curtman (556920)]

Maybe I don't understand the complaint. <snip> Only a few of us prefer the old 404 error and most want suggestions on where to link to.

I think the most annoying aspect is how we get used to leaving off the 'www' at the beginning of domains with Firefox, and Firefox adds it in for you if the non-www address fails to resolve. With this DNS hijacking this feature is broken.

Re:Good Grief

[Trailwalker (648636)]

AdBlock gets rid of the Verizon "search" page.

Clickity, clickity, never see again.

Re:

[davolfman (1245316)]

To be honest I still think this thing is a bomb waiting to go off when it comes to anything outside the TLD's. In my mind if someone does this for say badmachine.slashdot.org they are pretty much guilty of criminal trespass, trademark violation, and/or fraud. Within the TLD space say www.badurltest.org where the typo isn't already someone else's claimed property they can pretty much do whatever they want, or whatever we let them.

Hijack? Rogers ?

[carlvlad (942493)]

aaaa'rrrr!

Re:

[Mordok-DestroyerOfWo (1000167)]

I guess you can say they're no longer very...jolly?

Well I'll be...

[Shabbs (11692)]

This must be brand new. I did a test just now and a bad URL sends you here:

http://www20.search.rogers.com/search?

With appropriate variables substituted for what you were typing of course, like this:

Enter: http://www.rogersblowz.com and you get:

http://www20.search.rogers.com/search?qo=www.rogersblowz.com&rn=mEelOh0JrKFZejZ

Let the debate rage on!!!

Re:Well I'll be...

[Holmwood (899130)]

Worse than this even. I've been redirected to Rogers Search pages, replete with advertising, for domains that I know exist, and that I know have been entered correctly (e.g. via a bookmark).

It used to happen a lot with http://ragnartornquist.com/ [ragnartornquist.com] (Tornquist is a senior game designer for Funcom). Granted that's a tough name to spell properly for a North American, but since I'd click on a bookmarked link, or a google page, I was sure it wasn't a problem with my typing.

What started to give it away as being something at Rogers (rather than my computer infected with malware) was that this was happening on every device I connected to the net -- Lynx on BSD, Safari on Apple, Opera on Maemo, Iceweasel on Ubuntu, and, of course, Firefox/IE/Opera on Windows.

(Yeah, I have a lot of different OS's sitting around!)

For a while I then became convinced my router had been compromised, but even switching routers didn't fix it.

Concluding it was unlikely that five different OSes and myriad different browsers had all been compromised, as well as two different routers, I contacted Rogers.

They said they were experimenting with "Software Improvements" and that the problem should go away for existing domains.

Well, using a proxy fixed it for me. But not a pleasant solution.

Software Improvements.

And the problem did go away for me at least. But I wonder if anyone else is being redirected to Rogers garbage pages for domains which exist.

Holmwood.

Re:

[KGIII (973947)]

Granted that's a tough name to spell properly for a North American, but since I'd click on a bookmarked link, or a google page, I was sure it wasn't a problem with my typing.

'Snot very nice of you to insult North Americans so openly and to make such broad sweeping strokes about the intellectual capacity of North Americans.

Ah well. I think you might be right though.

Re:

[failedlogic (627314)]

I had Rogers up until about 1 year ago and the DNS servers were generally flaky. I guess they'll work better now that they have a way to make money off it. Ditto QUS on VoIP call since there's Rogers Home Phone. Does QOS still work against Vonage and such?

Strangely, I remember reading about 4 to 6 months ago the redirections were already starting. Rogers tends to release things into test markets and see how many complaints they get. If most people don't know or don't care they go ahead and roll it out.

easy solution

[FudRucker (866063)]

http://www.opendns.com/ [opendns.com]

basically it is remove your ISP's dns#s and add these

208.67.222.222
208.67.220.220

Re:easy solution

[v1 (525388)]

so, how long before your ISP starts blocking use of DNS servers other than their own?

Re:

[by Anonymous Coward]

already happening here in italy... both the ads on false page and i can not use opendns nor OpenRootServerNetvork

Re:

[antdude (79039)]

That's great if you have more than one ISPs. For me, cable is the only broadband ISP. If I want others, then I have to go back to dialup!

Re:easy solution

[tgx (1077763)]

no, they're doing the exact same thing.
they're redirecting invalid requests to
http://guide.opendns.com/?url=%5Burl.here%5D [opendns.com]

$ host aoeuidhtns.com
Host aoeuidhtns.com not found: 3(NXDOMAIN)

$ host aoeuidhtns.com 208.67.222.222
aoeuidhtns.com has address 208.69.34.132

Re:easy solution

[TealShark (598509)]

... which you can manually stop them from doing by disabling typo corrections in settings.

Re:easy solution

[Shabbs (11692)]

Funny thing is that OpenDNS also re-directs bad URLs to their search page. So really, how much better is it? ;)

Re:

[jcam2 (248062)]

Worse still, they were (and maybe still are) redirecting lookups for google.com to their own servers .. and I'm pretty sure that Google isn't often down.

Re:

[davidu (18)]

1) Our DNS is more secure. This has been shown by third parties now numerous times.
2) Our DNS is faster.
3) Our DNS lets you block out responses you don't want.
4) Our DNS lets you turn off the search result pages, though most organizations like them and customize them.
5) Our DNS has a complete dashboard of stats and settings and is 100% opt-in. If you don't like it, don't use it (but nearly everyone who tries it likes it).

Comparing us to Rogers is like apples and oranges.

-David

Re:

[davidu (18)]

I am the founder of both companies. :-)

Re:

[MrZaius (321037)]

Funny thing is that OpenDNS also re-directs bad URLs to their search page. So really, how much better is it? ;)

Add to that the fact that they're also redirecting Google's traffic to themselves.

Plus, to add insult to injury, they don't offer "unpoisoned" servers like some ISPs mentioned above. They use your desire to not put up with this nonsense as an excuse to force users to register their names, IP addresses, etc and, if DHCP users, run ddclient or some equivalent. OpenDNS opens up some very, very serious privacy concerns, at this point in the game.

I for one will be setting up my own DNS server tonight. Enough, al

Re:

[deraj123 (1225722)]

For all those responding to your post that OpenDNS does the same thing. I am currently using OpenDNS, and it is working exactly as I would like, with no invalid responses, no ad-search type pages, etc.

If you sign up for an account (free) with OpenDNS, they give you a dashboard where you can configure how you want them to respond to certain types of requests. If you turn ALL of the options OFF, then their DNS service acts exactly as it should, with no hijacking of your requests. (for awhile, you couldn

Ignore their servers

[surmak (1238244)]

If the ISP is messing with the DNS service, the best thing to do is to use a different service.

For Linux/Unix users, you can just run a caching-only server on the desktop system, and it will issue its own name requests from the root on down. I've been doing a slightly more complex version of this at home for VPN purposes. (Forward requests to my employer's net to the private internal DNS server (through the VPN), while querying the public internet for all other servers.)

I don't know it a similar option is available for Windows users w/o shelling out big bucks, but it is technically feasible

If you cannot run a caching-only server, another option is to use a third-party DNS server. The only problem here is that it would not be automagically configured by DHCP, and would have to be manually set up.

What would be the danger...

[by Anonymous Coward]

This type of behavior is wrong on so many levels so I wonder what would be the danger of having ICANN police this type of behavior? It seems that ISPs are doing more and more to circumvent "standards" for their own gain. Would it be too much to ask ICANN to come up with a set of rules that ALL ISPs must adhere to or risk losing their netblock? I'm not even sure ICANN would do anything but I'm just posing the question.

How annoying

[by Anonymous Coward]

My ISP has been doing the same thing for a while now. It fucks with the stored history in my browser. I make a mistake and every time I'm typing in the correct URL later, my mistake is shown as an option from my history.

My ISP is the American ISP Charter [charter.net]. When I type in a bad url, I get a search page like this [charter.net].

Noticed this yesterday too

[greatclare (720334)]

I noticed this yesterday and asked about it a DSL Reports and got some interesting replies like this one:
"I've recently noticed this as well. I use rogers DNS as a secondary dns and 4.2.2.1 as my primary. Either way 30 seconds after seeing this I got annoyed and in firefox 3 typed in...
"about:config" in the address bar, accepted the "This will void warranty" message and proceeded to type in "browser.search.search" into the filter bar
you should see "browser.search.searchEnginesURL" come up after typing

Been done before

[by Anonymous Coward]

EarthLink has been doing this for years. They have a workaround using "unsupported" servers that maintains real DNS behavior.

http://blogs.earthlink.net/2006/09/more_info_on_dead_domain_handl.php

Fantastic.

[fuzzyfuzzyfungus (1223518)]

Let me guess... They either already have, or soon will in a pitiful pretense of response to criticism, offer some sort of insanely weak opt-out mechanism.

I'm guessing one of two things:
Manually configure alternate DNS servers on a per device basis(a la Verizon's current setup, may they be thrice cursed)
or:
Something involving cookies, a la Phorm and friends.

For things like this, opt-out just isn't good enough.

Re:

[fuzzyfuzzyfungus (1223518)]

Oh, I agree, this one isn't hard to dodge, if one has even a modicum of skill; and I doubt that it ever will be harder than that, since the ISP probably doesn't make all that much money, per user, on this and thus has fairly limited motivation to piss enough people off to spark scrutiny, or even just spend money tightening the noose.

That said, I think that this one is a good example of the unpleasant fact that control doesn't actually have to be very good in order to have its effect(great firewall is perh

PaxFire

[Effugas (2378)]

[This is Dan Kaminsky]

I took a look at what Rogers is doing. They're using PaxFire, who indeed was directly vulnerable to the attacks I described at Toorcon a few months ago. PaxFire fixed their stuff up, but yes, the security of the web at Rogers is limited to the security of those ad servers at PaxFire.

Add Insight to the list

[sokoban (142301)]

I guess the thought with the ISP's nowadays is that "everybody else is doing it, why can't we?"

Re:

[sokoban (142301)]

And my comment was moderated...

+1 Insightful

[Rimshot]

Re:

[mysidia (191772)]

It is not recommended to set immutable bit, as it causes issues in various situations (like restoring /etc from a backup). Failure to write to an immutable file is an API issue unique to Linux boxes that use ext2fs or ext3fs.. Systems that run ReiserFS, XFS, or jfs, don't have this bug.

Future versions of DHCPD/Ifplug, or the C library, may very well properly detect the 'immutable' bit and clear it, before writing, then re-set the bit after finishing.

Just like they do if you're root and try to write t

Re:

[s7uar7 (746699)]

I'd switch back if I was you, they seem so be replacing proportional fonts with fixed-width.

Solution

[Cassini2 (956052)]

At the risk of replying to my own question, if you are running DNSMasq on your router, you can use the command:

bogus-nxdomain=64.94.110.11

To block any given IP address, and thus override Rogers override. This works to prevent Rogers from displaying its search page, no matter what URL you enter.