Canadian ISP Hijacking DNS Lookup Errors 225
Freshly Exhumed tips us to news that Canadian ISP Rogers Cable appears to be redirecting invalid DNS requests to their own search and advertising page. Roadrunner got caught doing the same thing earlier this year. According to the article, "The hijacking appears to be an attempt by Rogers to use its Deep Packet Inspection (DPI) technology to cash in on the mistakes of its users." Freshly Exhumed also reminds us, "As IOActive security researcher Dan Kaminsky has warned in the past, this presents a very serious security problem."
Good Grief (Score:5, Interesting)
I know one problem it can cause is for a number of spam tests which look for the message coming from a legitimate domain. When the DNS server says "yup, that resolves" even when there's actually no domain, the test is defeated.
What would be the danger... (Score:3, Interesting)
Re:easy solution (Score:5, Interesting)
Funny thing is that OpenDNS also re-directs bad URLs to their search page. So really, how much better is it? ;)
Been done before (Score:2, Interesting)
EarthLink has been doing this for years. They have a workaround using "unsupported" servers that maintains real DNS behavior.
http://blogs.earthlink.net/2006/09/more_info_on_dead_domain_handl.php
Re:Well I'll be... (Score:5, Interesting)
Worse than this even. I've been redirected to Rogers Search pages, replete with advertising, for domains that I know exist, and that I know have been entered correctly (e.g. via a bookmark).
It used to happen a lot with http://ragnartornquist.com/ [ragnartornquist.com] (Tornquist is a senior game designer for Funcom). Granted that's a tough name to spell properly for a North American, but since I'd click on a bookmarked link, or a google page, I was sure it wasn't a problem with my typing.
What started to give it away as being something at Rogers (rather than my computer infected with malware) was that this was happening on every device I connected to the net -- Lynx on BSD, Safari on Apple, Opera on Maemo, Iceweasel on Ubuntu, and, of course, Firefox/IE/Opera on Windows.
(Yeah, I have a lot of different OS's sitting around!)
For a while I then became convinced my router had been compromised, but even switching routers didn't fix it.
Concluding it was unlikely that five different OSes and myriad different browsers had all been compromised, as well as two different routers, I contacted Rogers.
They said they were experimenting with "Software Improvements" and that the problem should go away for existing domains.
Well, using a proxy fixed it for me. But not a pleasant solution.
Software Improvements.
And the problem did go away for me at least. But I wonder if anyone else is being redirected to Rogers garbage pages for domains which exist.
Holmwood.
Re:easy solution (Score:3, Interesting)
Worse still, they were (and maybe still are) redirecting lookups for google.com to their own servers .. and I'm pretty sure that Google isn't often down.
Re:easy solution (Score:3, Interesting)
1) Our DNS is more secure. This has been shown by third parties now numerous times.
2) Our DNS is faster.
3) Our DNS lets you block out responses you don't want.
4) Our DNS lets you turn off the search result pages, though most organizations like them and customize them.
5) Our DNS has a complete dashboard of stats and settings and is 100% opt-in. If you don't like it, don't use it (but nearly everyone who tries it likes it).
Comparing us to Rogers is like apples and oranges.
-David
Re:Ignore their servers (Score:1, Interesting)
If the ISP is messing with the DNS service, the best thing to do is to use a different service.
For Linux/Unix users, you can just run a caching-only server on the desktop system, and it will issue its own name requests from the root on down. I've been doing a slightly more complex version of this at home for VPN purposes. (Forward requests to my employer's net to the private internal DNS server (through the VPN), while querying the public internet for all other servers.)
I don't know it a similar option is available for Windows users w/o shelling out big bucks, but it is technically feasible
If you cannot run a caching-only server, another option is to use a third-party DNS server. The only problem here is that it would not be automagically configured by DHCP, and would have to be manually set up.
According to the article (and I have a hard time believing this is what is happening, but can't test it myself), what's being reported is actual "Deep Packet Inspection" -- hooray for new buzzwords -- digging the nxdomain out and then forging the response to point to their servers. IF that really is the scenario, then this won't work.
Solution (Score:3, Interesting)
At the risk of replying to my own question, if you are running DNSMasq on your router, you can use the command:
To block any given IP address, and thus override Rogers override. This works to prevent Rogers from displaying its search page, no matter what URL you enter.
Re:easy solution (Score:3, Interesting)
Funny thing is that OpenDNS also re-directs bad URLs to their search page. So really, how much better is it? ;)
Add to that the fact that they're also redirecting Google's traffic to themselves.
Plus, to add insult to injury, they don't offer "unpoisoned" servers like some ISPs mentioned above. They use your desire to not put up with this nonsense as an excuse to force users to register their names, IP addresses, etc and, if DHCP users, run ddclient or some equivalent. OpenDNS opens up some very, very serious privacy concerns, at this point in the game.
I for one will be setting up my own DNS server tonight. Enough, already.