Comcast the Latest ISP To Try DNS Hijacking

A semi-anonymous reader writes "In the latest blow to DNS neutrality, Comcast is starting to redirect users to an ad-laden holding page when they try to connect to nonexistent domains. I have just received an email from them to that effect, tried it, and lo and behold, indeed there is the ugly DNS hijack page. The good news is that the opt-out is a more sensible registration based on cable modem MAC, rather than the deplorable 'cookie method' we just saw from Bell Canada. All you Comcast customers and friends of Comcast customers who want to get out of this, go here to opt out. Is there anything that can be done to stop (and reverse) this DNS breakage trend that the ISPs seem to be latching onto lately? Maybe the latest net neutrality bill will help." Update: 08/05 20:03 GMT by T : Here's a page from Comcast with (scant) details on the web-jacking program, which says that yesterday marked the national rollout.

Repeat?

[HeronBlademaster]

Is it just me or was this story on slashdot like three weeks ago? And I complained then? And we all opted out?

Not OpenDNS

[sakdoctor]

4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6

At least this story doesn't have OpenDNS in the "from the X department" this time.
OpenDNS does exactly the same thing, so you might as well stick with your comcast servers.

Very Simple Answer

[IBitOBear]

DNS is supposed to tell you (essentially) "no such domain name registered" when you try to find a domain name.

IFF (e.g. if and only if) DNS _only_ serviced web browsers, then one noise-page (my adverts here) is no different than any other noise page (no such name) because a human is going to go "oh, that's not what I was looking for".

But there is a heck of a lot more going on out here in the internet than just web browsing, and significant portions of it hinge on getting true and correct answers from the DNS system.

With DNS boned-up to return false positives on all names, then money can be stolen from you, the causal web browser. For instance, I send you an email from support@bankofamercia.com; you don't notice the transposition of letters, your spam filter looks up bankofamercia.com and the DNS service return as IP address instead of no such address, that address is the same one as I spoofed in the email, the spam filter says its a good email, you get owned.

Okay, that _is_ contrived, so try this instead...

It's 1964. You are at a pay phone. Your car has broken down. It's your last dime. You call home, but mis-dial a number that doesn't exist and you get a busy signal, and you get your dime back. You call home again and get help. The system worked.

It's 1964. You are at a pay phone. Your car is broken down. It's your last dime. You call home, but mis-dial a number that doesn't exist and some random person answers and proceeds to try to sell you car wax. Your dime is gone. You are still stuck. The system has failed.

Imagine your life if you _never_ got a busy signal. You call any extension in any company and you get to leave a voice mail but nobody will ever get that message. It would be living hell.

Worse yet, you run a small company, you may a small number of sales each month that are vital to your companies survival. You invest in an expensive advertisement on the superbowl and everything goes great. Then your DNS server dies. Now there is nobody to answer the proper DNS queries. The DNS squatter wakes up and since mylittlecompany.com no longer resolves, all that traffic goes to the Comcast Advertisement Shill page. In just a few minutes you get your DNS server working again, but everyone who got the bogus page thinks your company is trying to sell comcast telephone service and web search services and you never go that business. You are out big cash and your name is ruined. IF the spamvertisement page hadn't been there, those people might instead be thinking "wow, this service is so popular I cannot get in, maybe I'll try back in a bit" instead of "why did comcast decide to take out a superbowl ad that made it look like they sold that interesting little product?"

In short, what if every time your cell phone couldn't be found (because it was off or the battery died etc) the people trying to call you got silently redirected to a random "service" of the type one sees on late night television, offering jokes or sex chat, ostensibly in your good name?

That's what is wrong with doing that.

WTF?

[sakdoctor]

There shouldn't be any hijack page, simple as that.
And yes, you can register an account for OpenDNS. But why would anybody here be advocating standards-breaking, overcomplicated, web-based nonsense?

There is nothing wrong with Treewalk, which is why I didn't mention it.

Cox opt out

[cprocjr]

My ISP Cox did this and to opt out of it all you had to do was change your DNS server to another one that they provided. In my opinion this is much better than cookies and router MAC addresses because you can do it on a computer by computer basis.

Re:Treewalk or OpenDNS

[Sir_Lewk]

DNS hijacking isn't evil because the companies that do it is evil. It's evil because it breaks standards, and therefore breaks all sorts of other crap.

It doesn't matter what company does it, it's still fucked up. To suggest that OpenDNS breaking standards is any better than Comcast breaking standards is just plain stupid and clearly missing the point entirely.

Re:Serious question

[scrib]

This may be "how it's done" but relying on something Not Being There is just a terrible idea.

Instead of having two different things to look up (mail.company.inside and mail.company.com) just use the one visible from the outside - mail.company.com. Surely the routers inside the company can catch that request and recognize it as coming from within the company. Relying on failure is bad, bad idea - even if Microsoft does it.

Also, you don't have to use Comcast DNS even if you are using Comcast. If it's a company laptop, configure it. If it's not a company laptop, it shouldn't have unfettered access to your internal network anyway. A non-company laptop should always use the "external" connection.

And whatever happened to 404 pages? ISPs (webhosts) started hijacking them long ago and the world didn't stop. Face it, with connections at airports, coffee shops, hotels and everywhere else adding their own bits to internet connections, you're lucky to get a clean response from a domain that DOES exist. Here's an idea: when one makes a request on the internet you MIGHT get a response that looks like it is from your site, but it isn't. Handle it.

Re:Serious question

[TheRaven64]

Actually, that's (relatively) easy to fix. Just route your traffic to your DNS IP differently depending on whether it comes from the internal or external network.

Re:Serious question

[zippthorne]

That sounds weird every time I see it. It puts a lot of the company's security interests (their internal servers) in the hands of a third party (whomever is the "default DNS" for the client). It should check the VPN's DNS first, which perhaps could be an abbreviated "local only" DNS, and only when that fails should it fall over to the "default DNS."

Or better yet, important servers should be in the hosts file on the client's machine, so that there never is an issue of whether a third party DNS would get checked.

Or something less brain-dead than hoping that a third party won't mess with your clients' lookups for fun and profit. Relying on a failure and fail-over seems like poor design to me.

Re:Serious question

[Anonymous Coward]

this is exactly the same reason why using OpenDNS breaks every PepsiCo employee's laptop!