Bell Starts Hijacking NX Domain Queries 310
Posted
by
timothy
from the opendns-dot-org-is-a-nice-resource dept.
from the opendns-dot-org-is-a-nice-resource dept.
inject_hotmail.com writes "Bell Canada started hijacking non-existent domains (in the same manner as Rogers), redirecting NX-response queries to themselves, of course. Before opting-out, you get their wonderfully self-promoting and self-serving search page. When you 'opt-out,' your browser receives a cookie (isn't that nice) that tells them that you don't want the search page. It will still use their broken DNS server's non-NX response, but it will show a 'Domain Not Found' mock-up page that they (I surmise) tailor to your browser-agent string. During the opt-out process, they claim to be interested in feedback, but provide no method on that page (or any other page within the 'domainnotfound.ca' site) to contact them with complaints. They note that opting-in is 'recommended' (!), and that 'In order for opt-out to work properly, you need to accept a "cookie" indicating that you have opted out of this service. If you use a program that removes cookies, you will have to repeat this opt-out process when the cookie is deleted. The cookie placed on your computer will contain the site name: "www.domainnotfound.ca."' Unfortunately most Bell Internet users won't understand the difference between their true NX domain response, and Bell's injected NX response."
Well, that's the bad old bell... (Score:4, Interesting)
Happens in Germany too.. (Score:5, Interesting)
The Deutsche Telekom / T-Online does exactly the same in Germany.
Does the Taco add on work here? (Score:5, Interesting)
Detect and fix DNS hijacks locally? (Score:4, Interesting)
Is there any way a local caching name server can detect this brokenness and return the right answer? I seem to remember some bind configs a few years back that would do that but I'm not sure if they would still work.
Or maybe a firefox plugin could detect this damage and restore the original, correct behavior somehow.
Sponsored Links Appearing In The Middle Of Results (Score:1, Interesting)
This is what I find interesting/scary about this. Search for "Microsoft" from that webpage. Of course the first hit is from www.microsoft.com and if you look carefully you can see that it is sponsored. But the fourth hit down is for a sponsored link.
Microsoft Help & Support 1-888-935-4306
Get Microsoft Technical Help & Support by Expert 24x7, Call now !!
Sponsored by: www.iyogi.net
Very interesting that they mix sponsored and regular hits. I thought normally these were at the top of the results page and separated by bars/colors/lines/fonts.
Re:From a typical web surfer's point of view (Score:3, Interesting)
It also breaks functionality of if basic programs. For example we have a lot of people that use Outlook Anywhere, and it will be broken by this. By default, it checks for the internal server first, and when it can't find it, it then jumps to Outlook Anywhere. Except now it gets a response for the internal server, and then waits forever for a timeout. So now we'll have even more people calling us asking why they can't get their email when they could before. We already have a list of 10 or so ISPs that we tell our users not to use for this very reason.
Cookie? (Score:3, Interesting)
How is this cookie supposed to work for lookups from apps other than a web browser?
Re:browser task? (Score:4, Interesting)
if the problem is what it is to solve -- unlikely.
Unlikely indeed. A simple search on that site for "Test" turns up many results. Several of them have notes like this next to them: "Sponsored by: www.momshomeroom.com/msn ", and "Sponsored by: www.Tests.com "
Looks like helping the customer is a secondary concern after all.
OpenDNS has an opt-out at least... (Score:3, Interesting)
I'm not a fan of OpenDNS because they also do NXDOMAIN wildcarding.
However, they do have a working opt-out in the OpenDNS dashboard, however you need to use their notification mechanism so they can track where you are to maintain the opt-out.
Legal? (Score:2, Interesting)
It's not... (Score:3, Interesting)
This...
When you "opt-out", your browser receives a cookie (isn't that nice) that tells them that you don't want the search page. It will still use their broken DNS server's non-NX response, but it will show a 'Domain Not Found' mock-up page that they (I surmise) tailor to your browser-agent string. ...is just ****ing unacceptable. That's not ****ing opting out.
Re:From a typical web surfer's point of view (Score:3, Interesting)
Bell makes a habit of screwing up other services. If you're not requesting data on port 80, preferably from one of their servers, then you are just causing trouble.
Way back when Bell Sympatico was first introducing ADSL I signed up for it and stuck with them for a few years. I put up with things like their spam-friendly mail servers, even going so far as to point out how their broken use of the VRFY command was exposing customer account numbers to the world and demonstrated how their POP3 server allowed brute force login attempts only to be told that such a thing was impossible and I must have just imagined the whole thing, but finally dumped them for a cheaper alternative about five years ago when they started messing around with my traffic.
The beginning of the end was when incoming SMTP connections were blocked. I worked my way up through the sludgy layers of technical support trying to find a way to explain that I really did want people on the Internet to be able to connect to TCP port 25 on my computer at home, only to be told that either a) It wasn't happening because Bell would never do that, b) I should be using their mail servers and did I want the IP address of their POPE server? or c) That if there was a problem with one of my ports then I should take my computer to a shop and have it fixed.
I only wish I was making those up. I finally managed to escalate to someone who knew what TCP was and he was as surprised as I was that there was a problem.
Bell is only interested in selling access to Facebook and Flickr. If you want anything more than that then you're probably not worth it and they will be quite happy to lose your business.
InfoSpace is behind this. (Score:4, Interesting)
They're reselling InfoSpace. Click on this link [domainnotfound.ca] to demonstrate.
InfoSpace claims to be passing search queries to Google, Yahoo, Bing, Ask, and Twitter, then combining the results. I'm surprised they can do that. Google, Yahoo, and Bing all prohibit that in their terms of service. (With Google, you're only allowed to use Google's display format, expressed in their AJAX API, but you can add additional info. Google doesn't allow reordering or combining their results. Yahoo is more flexible; you can reorder, reformat, and, subject to some restrictions, add ads. Bing allows reordering and combining for Web searches, but not other types of searches.)
Re:From a typical web surfer's point of view (Score:3, Interesting)
While not many folk are running SMTP servers on a cable connection these days, as blacklists will stop lots of their mail, a very large number of users will have client side anti-spam software.
One thing anti-spam software will often do is check the sending domain actually exists. Of course with this change, every domain suddenly exists and you have one less test available in scoring spam.
Massive Typosquatting (Score:4, Interesting)
Many people don't realize that there's TONS of traffic going to typo domains (whether registered or not). For instance, youtuve.com (notice the v instead of the b) got 347,852 visitors over the last 31 days. It redirects to another domain for cloaking purposes, but here is the traffic report [sedo.com]. This level of traffic provides the financial incentive to implement these DNS schemes.
By the way, there's a new, free typosquatting [aliasencore.com] scan tool at aliasencore.com. It shows you all the registered
Full disclosure: I am Graham MacRobie, the CEO of Alias Encore, Inc. We help companies recover cybersquatting domain names, but we focus solely on "slam-dunk" typosquatting cases (obviously only registered domain names). I can speak from personal experience in this field that the very last thing we need is wholesale typosquatting at the DNS level. Bell Canada should turn this "feature" off immediately.
Misconfiguration, not forgery. (Score:3, Interesting)
There's no forgery. You are connecting to their server just as you intended to and it is giving exactly the response they configured it go give. However, that response is not the one specified by the RFC.