Forgot your password?
typodupeerror
The Internet Your Rights Online

Bell Starts Hijacking NX Domain Queries 310

Posted by timothy
from the opendns-dot-org-is-a-nice-resource dept.
inject_hotmail.com writes "Bell Canada started hijacking non-existent domains (in the same manner as Rogers), redirecting NX-response queries to themselves, of course. Before opting-out, you get their wonderfully self-promoting and self-serving search page. When you 'opt-out,' your browser receives a cookie (isn't that nice) that tells them that you don't want the search page. It will still use their broken DNS server's non-NX response, but it will show a 'Domain Not Found' mock-up page that they (I surmise) tailor to your browser-agent string. During the opt-out process, they claim to be interested in feedback, but provide no method on that page (or any other page within the 'domainnotfound.ca' site) to contact them with complaints. They note that opting-in is 'recommended' (!), and that 'In order for opt-out to work properly, you need to accept a "cookie" indicating that you have opted out of this service. If you use a program that removes cookies, you will have to repeat this opt-out process when the cookie is deleted. The cookie placed on your computer will contain the site name: "www.domainnotfound.ca."' Unfortunately most Bell Internet users won't understand the difference between their true NX domain response, and Bell's injected NX response."
This discussion has been archived. No new comments can be posted.

Bell Starts Hijacking NX Domain Queries

Comments Filter:
  • by Pig Hogger (10379) <pig.hogger@noSpaM.gmail.com> on Tuesday August 04, 2009 @11:34AM (#28941845) Homepage Journal
    Well, that's the bad old ma Bell that's still alive and kicking in Canada.
  • These pages are helpful for the typical web surfer. In fact, an automatic URL "fixing" service would be one of those revolutionary Web 2.0 features that exists in the recesses of the web, part of the infrastructure and totally natural to use.

    Yes, it breaks some scripts and runs contrary to published standards, but it presents a new (actually pretty old) conception of how the web should work.

    • by nicolas.kassis (875270) on Tuesday August 04, 2009 @11:40AM (#28941989)
      This should be handled at the infrastructure level. DNS doctoring is bad for many reason. I'm sure a firefox or IE addon would actually be much more preferable. Something easy to dis-activate when things break.
      • by typosquatting (1586073) on Tuesday August 04, 2009 @04:16PM (#28946789) Homepage
        I've made the point before, but it's worth pointing out again that this is just typosquatting on a massive scale.

        Many people don't realize that there's TONS of traffic going to typo domains (whether registered or not). For instance, youtuve.com (notice the v instead of the b) got 347,852 visitors over the last 31 days. It redirects to another domain for cloaking purposes, but here is the traffic report [sedo.com]. This level of traffic provides the financial incentive to implement these DNS schemes.

        By the way, there's a new, free typosquatting [aliasencore.com] scan tool at aliasencore.com. It shows you all the registered .COM domain names that are one character misspellings of any Alexa top 100,000 site you enter. It also displays screenshots of those typosquatting sites. It's a nifty way to get a quick idea of the rampant growth of typosquatting. Here's an example [aliasencore.com] that shows the 425 registered .COM domain names that are one character away from google.com.

        Full disclosure: I am Graham MacRobie, the CEO of Alias Encore, Inc. We help companies recover cybersquatting domain names, but we focus solely on "slam-dunk" typosquatting cases (obviously only registered domain names). I can speak from personal experience in this field that the very last thing we need is wholesale typosquatting at the DNS level. Bell Canada should turn this "feature" off immediately.
    • by Anonymous Coward on Tuesday August 04, 2009 @11:41AM (#28942005)

      That's fine, but whether or not it's helpful for the typical Web surfer is completely irrelevant.

      It's a clear example of a layering violation. If you want URL fixing, great, but do it in the browser, don't hijack DNS which other services depend on.

      As far as I am concerned, it is really is clear cut that this shouldn't be happening!

    • by sugarmotor (621907) on Tuesday August 04, 2009 @11:41AM (#28942009) Homepage

      Browsers can take care of this quite well!

      I think they mostly do.

      Or put otherwise, this is a pretty heavy solution to the problem, if the problem is what it is to solve -- unlikely.

      Stephan

    • by qortra (591818) on Tuesday August 04, 2009 @11:44AM (#28942071)

      These pages are helpful for the typical web surfer

      How is that? By encouraging them to use a search engine with which they are unfamiliar, or by leading them away from their intended target with advertising. Look at the Sample Page [domainnotfound.ca] again, and explain to me the utility in that crap. Domain errors should ideally result in a big red "X" so the user knows to turn around and try again.

      In fact, an automatic URL "fixing" service would be one of those revolutionary Web 2.0 features that exists in the recesses of the web, part of the infrastructure and totally natural to use.

      Now this is an interesting idea. Let me tell you the best way to handle this - on the client side, after the proper DNS opportunities have been exhausted. This is because the client best knows the users browsing proclivities (most often viewed pages, favorite search engines, etc).

    • by superdana (1211758) on Tuesday August 04, 2009 @11:49AM (#28942161)
      This isn't about the web, this is about the Internet--there's a difference. The web is just one tiny piece of the Internet, and there are 65,000 other services that require a properly functioning domain name system. Screwing it up in a way that only "works" for the web is totally unacceptable.
      • by Minwee (522556) <dcr@neverwhen.org> on Tuesday August 04, 2009 @12:52PM (#28943417) Homepage

        Bell makes a habit of screwing up other services. If you're not requesting data on port 80, preferably from one of their servers, then you are just causing trouble.

        Way back when Bell Sympatico was first introducing ADSL I signed up for it and stuck with them for a few years. I put up with things like their spam-friendly mail servers, even going so far as to point out how their broken use of the VRFY command was exposing customer account numbers to the world and demonstrated how their POP3 server allowed brute force login attempts only to be told that such a thing was impossible and I must have just imagined the whole thing, but finally dumped them for a cheaper alternative about five years ago when they started messing around with my traffic.

        The beginning of the end was when incoming SMTP connections were blocked. I worked my way up through the sludgy layers of technical support trying to find a way to explain that I really did want people on the Internet to be able to connect to TCP port 25 on my computer at home, only to be told that either a) It wasn't happening because Bell would never do that, b) I should be using their mail servers and did I want the IP address of their POPE server? or c) That if there was a problem with one of my ports then I should take my computer to a shop and have it fixed.

        I only wish I was making those up. I finally managed to escalate to someone who knew what TCP was and he was as surprised as I was that there was a problem.

        Bell is only interested in selling access to Facebook and Flickr. If you want anything more than that then you're probably not worth it and they will be quite happy to lose your business.

    • by dirk (87083) <dirk@one.net> on Tuesday August 04, 2009 @11:52AM (#28942251) Homepage

      It also breaks functionality of if basic programs. For example we have a lot of people that use Outlook Anywhere, and it will be broken by this. By default, it checks for the internal server first, and when it can't find it, it then jumps to Outlook Anywhere. Except now it gets a response for the internal server, and then waits forever for a timeout. So now we'll have even more people calling us asking why they can't get their email when they could before. We already have a list of 10 or so ISPs that we tell our users not to use for this very reason.

    • by mini me (132455) on Tuesday August 04, 2009 @12:13PM (#28942679)

      Some browsers do attempt to "fix" URLs. These services break those features, since the domain is always resolved properly as far as the browser is concerned.

    • by Tom (822) on Tuesday August 04, 2009 @02:50PM (#28945487) Homepage Journal

      These pages are helpful for the typical web surfer.

      Do you work in marketing?

      Clue: DNS stands for "Domain Name Service", not "Targeted Advertisement Injection". The "typical web surfer" already has a tool that is responsible for handling unresolvable addresses, it's built into the browser. If you want more help, suggestions for typo fixing, etc. then the browser is the proper location.

      There are client programs out there that rely on getting proper DNS responses, including correct "domain not found" replies when the domain does not exist.

      Yes, it breaks some scripts and runs contrary to published standards, but it presents a new (actually pretty old) conception of how the web should work.

      No, it doesn't. And running contrary to published standards isn't a minor offense. They're called standards for a reason, and client-side programs expect a certain behaviour. Breaking that means breaking customers' software. And no, the web should not work this way. If you want to get a search page on DNS error, a Firefox plugin would be the proper approach, not DNS manipulation.

      What this is is the equivalent of your phone company hijacking every call with a mistyped phone number to a toll line with a "helpful" operator that helps you guess the correct number. The only difference is the payment method.

  • by Drakkenmensch (1255800) on Tuesday August 04, 2009 @11:36AM (#28941885)
    You wouldn't believe the amount of angry customer calls I had escalated to me by people who think that computers, modems and internet service are all the same things and I was responsible for all of them. If you want me to share them with you, bring lots of hard liquor - you're going to need it.
  • by ltning (143862) <ltning.anduin@net> on Tuesday August 04, 2009 @11:38AM (#28941935) Homepage

    The Deutsche Telekom / T-Online does exactly the same in Germany.

  • by gurps_npc (621217) on Tuesday August 04, 2009 @11:38AM (#28941937) Homepage
    Taco stands for Targetted Advertising Cookie Opt-Out. It is a firefox addon that keeps a generic, non-user specific cookie opting out of the things that need cookies to opt out of.
  • by nweaver (113078) on Tuesday August 04, 2009 @11:38AM (#28941941) Homepage

    If this is a true description of the opt-out, it is SERIOUSLY broken.

    Simply put, any opt-out mechanism MUST enable the user's computer to properly receive an NXDOMAIN response. Because the problem is NOT the advertising web page on a web browser typo for http, but all the other things that do DNS lookups.

    For example, NXDOMAIN wildcarding even snagged and confused Dark Tangent [defcon.org] into thinking that someone was trying to MitM the Defcon forums!

    I can accept an ISP doing this only under the following conditions:

    a) The opt-out is a one-click item on the page

    b) The opt-out is perminent and for all connected through that IP/customer link

    c) The opt-out is a real opt-out which will cause NXDOMAIN responses to be properly returned as NXDOMAIN.

    This clearly fails B and C.

  • by Dan East (318230) on Tuesday August 04, 2009 @11:44AM (#28942069) Homepage Journal

    Embarq does the same thing with their DSL:

    http://search.embarq.com/index.php?origURL=http://lkwkerwer.com/ [embarq.com]

  • by caseih (160668) on Tuesday August 04, 2009 @11:44AM (#28942073)

    Is there any way a local caching name server can detect this brokenness and return the right answer? I seem to remember some bind configs a few years back that would do that but I'm not sure if they would still work.

    Or maybe a firefox plugin could detect this damage and restore the original, correct behavior somehow.

  • by Timothy Brownawell (627747) <tbrownaw@prjek.net> on Tuesday August 04, 2009 @11:46AM (#28942113) Homepage Journal

    Isn't this sort of forgery exactly what DNSSEC is supposed to prevent?

    (And no, don't go suggesting DNSCurve. It doesn't protect against your ISPs caching resolver being malicious like this.)

  • by Midnight Thunder (17205) on Tuesday August 04, 2009 @11:50AM (#28942193) Homepage Journal

    Using other services like OpenDNS is a certainly one way to go, but last time I checked they had issues when it came to IPv6. Does anyone know any IPv6 friendly open DNS servers?

  • by Garbad Ropedink (1542973) on Tuesday August 04, 2009 @11:51AM (#28942223)

    Bell's current business model pretty much relies on people not caring about the shit they pull.

    It's sort of interesting (or infuriating depending if I'm trying to use the internet..). My new ISP makes it no secret they hate everything Bell does. I think that largely has to do with them leasing their lines from Bell, and having their service screwed up when Bell does things of this nature. I imagine I'll be getting an email from my ISP soon telling me who to complain to about the service getting buggered yet again. Thanks Bell, I'll be by your office in the morning with a fresh cinderblock. I see you replaced your front window from the last time I put one through it.

  • Cookie? (Score:3, Interesting)

    by wiredlogic (135348) on Tuesday August 04, 2009 @11:57AM (#28942355)

    How is this cookie supposed to work for lookups from apps other than a web browser?

  • by pongo000 (97357) on Tuesday August 04, 2009 @12:01PM (#28942435)

    OpenNIC [opennicproject.org] offers free, open, and democratic domain name services. No redirects like your favorite ISP or OpenDNS (and to think these used to be the "good" guys back in the days of everydns.net). All ICANN domains, plus a good helping of alternate roots (including OpenNIC) as a bonus. The OpenNIC DNS network is slowly building, with servers around the world

    Using your ISP's name servers is so passe. They'd like the masses to think that's the only choice.

  • Legal? (Score:2, Interesting)

    by TheRaven64 (641858) on Tuesday August 04, 2009 @12:05PM (#28942513) Journal
    So, what happens if I buy ping a domain that doesn't exist? Presumably this will then cache the DNS NXDOMAIN reply. If I then buy the domain, set up a DNS entry, and then try to connect to it, I will get their sever instead of mine. This sounds like it would fall foul of computer misuse laws; intentionally hijacking a connection. The presence of ads means that they're doing it for commercial purposes, which usually carries a heavier sentence. Other ISPs will not be breaking these laws, because they will just be inadvertently blocking my connection, rather than hijacking it.
    • Re:Legal? (Score:5, Informative)

      by RedK (112790) on Tuesday August 04, 2009 @01:18PM (#28943861)
      How did this ever get +5 ? Seriously, if you register a non-existant domain, they won't hi-jack you. First, there's this thing called TTL on requests, when a DNS server caches a response from an authoritative source, it is not permanent. It has a Time to Live, defined in the Start of Authority in the zone on the master server or on the entry itself. So after a while, the DNS server will query the authoritative source again to make sure its answer is still correct and up to date. This is also implemented for NXDOMAIN queries, as defined in RFC2308. Section 3 is specific that NXDOMAIN queries should also return the SOA and that the receiving cache is to use the minimum TTL (the last value in the SOA). The default on this is 3600 seconds, or you guessed it, 1 hour. Since your domain will take 24-48 hours to show up on the ccTLDs or gTLDs anyhow, 1 hour isn't going to make or break anything as far as caching a NXDOMAIN answer and anyway, you wouldn't have gotten that traffic to begin with.
  • Feedback form (Score:2, Informative)

    by talcite (1258586) on Tuesday August 04, 2009 @12:11PM (#28942647)
    For those of you who want to let Bell hear a bit of your mind, the comments form is here:

    https://www.bell.ca/support/PrsCSrvInt_CtUs_Eform.page [www.bell.ca]
  • by Man Eating Duck (534479) on Tuesday August 04, 2009 @12:12PM (#28942673)

    The first hit for me is the wonderful errornerd.com, which can fix these errors if you download their registry utility [errornerd.com].
    They can even fix a host of other errors, even 404s [errornerd.com] and errornerd.com is a fraud [errornerd.com] errors.

  • by Malc (1751) on Tuesday August 04, 2009 @12:17PM (#28942743)

    I spent June in Toronto and Ottawa with friends and my family, all of whom have internet service provided by Rogers. Now I have a bunch of type-o URLs in FF's history when I'm typing the in the address bar. Anybody in the province who can get DSL should go to Teksavvy where you'll get good service and none of this crap.

  • by sugarmotor (621907) on Tuesday August 04, 2009 @12:23PM (#28942861) Homepage

    Viewed in the context of net neutrality -- how can there be net neutrality if they don't even provide net access
    according to the semantics of the protocols?

    Stephan

  • by LaminatorX (410794) <sabotage@NoSpAm.praecantator.com> on Tuesday August 04, 2009 @12:37PM (#28943127) Homepage

    Paytec/McCloud telco does this here in the states.

  • by Anonymous Coward on Tuesday August 04, 2009 @12:43PM (#28943221)

    This seems to only affect lookups for queries prefixed with www. For example, a lookup of blerght.com returns nx, while www.blerght.com returns 67.63.55.2. There may well be other subdomain queries that it also hijacks.

  • by Baron_Yam (643147) on Tuesday August 04, 2009 @12:47PM (#28943301)

    DNS is recursive, right? Starting with the TLD servers, then downwards. Someone upstream of Bell is returning a 'domain not found' and Bell is intercepting that and modifying it.

    I understand that you're using Bell's local DNS servers to start the search, but the effect is the same as them intercepting and modifying your communications.

    ISPs doing this kind of crap should get sued under whatever law most closely applies.

    • by JesseMcDonald (536341) on Tuesday August 04, 2009 @08:04PM (#28949841) Homepage

      They're not intercepting your communications with any outside server. You asked them for the IP address linked to a given domain name, they asked a higher-level DNS server that returned NXDOMAIN to them, and instead of just returning the same NXDOMAIN to you like everyone else would they returned a pointer to the server hosting their search page. Underhanded? Sure. But intercepting and modifying your communications? Not really. Your communications were with the ISP to being with, not the upstream DNS servers, and nothing really obligates the ISP to return the standard response.

      You could configure your system to query one of those upstream DNS servers directly. If they messed with that, then they would be interfering in your communications.

  • by fulldecent (598482) on Tuesday August 04, 2009 @12:47PM (#28943305) Homepage

    where's that perl script that queries random domains to break the ISP's DNS cache?

  • by sudog (101964) on Tuesday August 04, 2009 @12:49PM (#28943365) Homepage

    And everyone wins: a version of BIND that allows an overlay of master records based on secondary queries. You look something up, the authoritative query goes out to the replacements, the fallback position is the root nameservers.

    Then, you can participate in OpenDNS or OpenNIC or whatever you want, *and* participate in the base DNS network as well. Plus, if you ever decide someone is being naughty, you can just overlay them with a whiteout (and you get rid of every domain-squatter-searcher you want to get rid of,) or you can simply override domain squatters with the original rightful owner.

    Plus, the extortion money you currently pay? You can get rid of it basically for free. Set up a domain in the overlay instead.

  • by Animats (122034) on Tuesday August 04, 2009 @12:55PM (#28943483) Homepage

    They're reselling InfoSpace. Click on this link [domainnotfound.ca] to demonstrate.

    InfoSpace claims to be passing search queries to Google, Yahoo, Bing, Ask, and Twitter, then combining the results. I'm surprised they can do that. Google, Yahoo, and Bing all prohibit that in their terms of service. (With Google, you're only allowed to use Google's display format, expressed in their AJAX API, but you can add additional info. Google doesn't allow reordering or combining their results. Yahoo is more flexible; you can reorder, reformat, and, subject to some restrictions, add ads. Bing allows reordering and combining for Web searches, but not other types of searches.)

  • by AP31R0N (723649) on Tuesday August 04, 2009 @12:57PM (#28943509)

    Better Headlines:

    "Bell Is Hijacking NX Domain Queries"

    Does Bell "startS" hijacking on a daily basis or all the time? Tony Hawk skateS every day.

    "Bell Hijacking NX Domain Queries"

    Brevity is wit.

    Hit the reply button to make excuses and apologies.

Never trust a computer you can't repair yourself.

Working...