Reports of IE Hijacking NXDOMAINs, Routing To Bing 230
Jaeden Stormes writes "We just started getting word of a new browser hijack from our sales force. 'Some site called Bing?' they said. Sure enough, since the patches last night, their IE6 and IE7 installations are now routing all NXDOMAINs to Bing. Try it out — put in something like www.DoNotHijackMe.com." We've had mixed results here confirming this: one report that up-to-date IE8 behaves as described. Others tried installing all offered updates to systems running IE6 and IE7 and got no hijacking.
Update: 08/11 23:24 GMT by KD : Readers are reporting that it's not Bing that comes up for a nonexistent domain, it's the user's default search engine (noting that at least one Microsoft update in the past changed the default to Bing). There may be nothing new here.
Update: 08/11 23:24 GMT by KD : Readers are reporting that it's not Bing that comes up for a nonexistent domain, it's the user's default search engine (noting that at least one Microsoft update in the past changed the default to Bing). There may be nothing new here.
Verizon does it for me... (Score:5, Informative)
So it looks like its not Microsoft's fault in -my case-.
Is that considered Hijacking? (Score:3, Informative)
I'm pretty sure that if you had the Google Search Provider add on for IE, and made it your default search provider, it would do the same? Hasn't that always been the case for Non-existant domains?
I mean, its IE, and its microsoft - all they're basically doing is providing the "Microsoft Add On" in their versions of IE.
It is just trying to be helpful. (Score:5, Informative)
It isn't actually Bing that it goes to, it is whatever your default search provider is. Now that is Bing by default, but you can change it to anything you want. IE8 asks you during setup, and you can change it later. So if you change it to Google and enter a non-existent domain, it'll send you to Google with a search for that.
Similar to how Firefox works, just in more cases. In FF, if you enter a name with no domain, it tries some popular ones like .com. If it can't find any, it then does a search in your default provider. IE is doing a similar thing, but doing the search even if you do enter a domain.
Confirmed (Score:2, Informative)
IE 6 and 8 (don't use 7 anywhere). Both redirected to BING ....
The funniest thing we have ... our filter (k-12 schools) blocks BING LOL. ... here is the report ...
Category: Image Servers & Image Search Engines
Blocked URL: http://www.bing.com/search?FORM=DNSAS&q=www.DoNotHijackMe.com&adlt=strict [bing.com]
Re:Who cares!?! (Score:5, Informative)
This is a tempest in a teacup. (Score:2, Informative)
IE is - as stated above - being helpfull, as a program should be. It is not a "hijacking" since the program requesting the DNS-lookup is IE. This is nothing like having NXDOMAIN, transparently, changed into something it isn't on the network-level.
In one case the program gets to decide what to do and in the other someone else is telling your program that the expected result is something else.
Comment removed (Score:4, Informative)
No mystery here (Score:3, Informative)
I just tried it = www.DoNotHijackMe.com in IE8 and Google loaded.
It's caused by a setting Tools -> Internet Options -> Advanced -> Search Options and "Just Display the results in the main window" is selected. If "Do not submit unknown addresses to your auto-search provider" is selected, if it can't find an address it submits it to your default search provider.
No mystery.
Re:Is that considered Hijacking? (Score:5, Informative)
I've done it in IE8. With Google as the search provider, it goes to Google. With Bing as the provider, it goes to Bing. With Yahoo as the provider, it goes to Yahoo... Hell, with eBay as the selected provider, it searches eBay. You get the picture.
Comment removed (Score:5, Informative)
Re:Verizon does it for me... (Score:2, Informative)
And... Comcast does it for me...
Comment removed (Score:5, Informative)
Standard IE functionality...? (Score:5, Informative)
Perhaps a recent update turned this feature ON for people who had it turned OFF? But the feature itself is most definitely not new or news.
Re:Is that considered Hijacking? (Score:4, Informative)
I -DO- know what I'm talking about, and I don't know how this made news because I've had IE do this for me for at least a year as Google as my default search provider, sending me to google if I mistyped a domain name or something. And when I didn't have google set, it was "Windows Live search".
Now its Bing.
I'm pretty sure you Don't know what YOU'RE talking about, because you use Firefox and haven't kept up with IE. Just like the article.
Re:Verizon does it for me... (Score:3, Informative)
I just noticed comcast doing it to me this morning as well... odd thing was it would redirect www.pleasedonthijackthis.com but not pleasedonthijackthis.com.
Call me crazy... but I do not use www's unless I have to!
Re:Who cares!?! (Score:3, Informative)
Actually, that domain has been registered already.
Luckily, my corporate firewall banned it (fatguyshirts) as "tasteless and offensive".
Time to change the summary, editors.
Re:Verizon does it for me... (Score:2, Informative)
Actually, Ballmer hired me to do this. He asked that I do it, instead of MS people, because he wants to maintain "plausible deniability". I got it all done, then Steve wants to pay me less than half of what he promised. Says, since it only took me two days to finish it up, I didn't earn my money. BASTARD THREW A CHAIR AT ME AND TOLD ME TO GET OUT!!!
I hate that man....
Re:Is that considered Hijacking? (Score:5, Informative)
Quoted from below:
Tools -> Internet Options -> Advanced -> Search from Address Bar -> Do not search from address bar.
There you go.
If anything else is happening, its a problem with malware on your computer or your DNS.
Microsoft is not shamelessly plugging Bing. It's a feature. A feature they've had for years and decided to make it standard. If you don't set it to anything besides the default, it'll use Bing.
Re:RFC1034, RFC1035 and RFC2065 (Score:5, Informative)
I think you've grabbed every DNS-related RFC you can find, hoping that I had not read them. I have, and so I will ask you to be more specific. Which part of RFC 2065 (DNSSEC) is violated? Are you suggesting that IE is a poorly-implemented DNS caching server which does not cache negative results (RFC 2038)? I'm particularly curious why you cited RFC 1536. Did the subject of the conversation turn to whether IE is appending your local domain to DNS queries for non-explicit FQDNs?
The only specific citation you've made from the DNS-related RFCs is about structuring the DNS header. I have yet to see anyone point to any claim that IE sends improperly formatted DNS headers. What they ARE doing is presenting your NXDOMAIN result accompanied by results for a search on the missing domain.
I still do not see a standard which requires a browser or other application's response to an NXDOMAIN to not accompany it with search results, and I do not believe one exists. If your script relies on IE presenting NXDOMAINs in a specific way, then you have a badly-written script, and you shouldn't have expected it to keep working.
Re:Standard IE functionality...? (Score:4, Informative)
Bingo.
The truth, it looks like, is that MS updated the search service in IE and may have changed the default settings. The old default was disabled with Live search being the first option selected. The new default is probably to have it enabled with Bing as the first option - Bing has definitely replaced Live in the list of search providers.
Calling it "Hijacking" a non-existing domain name is a bit over-the-top. Chances are nobody thought us geeks would be too slow to pick up on what actually happened rather than getting our collective panties in a bunch about a non-issue.
Does anybody really think MS is stupid enough to switch on mass-DNS hijacking? Did everybody get stupid all of a sudden?
Makes the statement from the first MIB movie seem all too true: A person is smart, but people are stupid (paraphrase).
Re:It is just trying to be helpful. (Score:3, Informative)
First, most search engines will helpfully correct typos in domain names for you. I'm sure that the averag euser finds this behavior a LOT more helpful than a page saying "Nope, can't find it."
Second, domains don't necessarily end with any of the TLDs you listed. In fact, the path you're routing to might not end with a TLD at all - servers on your intranet, or in your hosts file, often don't have TLDs. Treating a URL that differently purely on the basis of whether it ends with a .somedamnthing seems pretty pointless to me.
Re:Who cares!?! (Score:3, Informative)
For starters, "slashdot.gobcom" is not a properly formatted absolute URL, because it lacks the scheme (you know, that "http://" thingy). On the other hand, "slashdot" is a valid relative URL. You have to decide what you actually want here.
In any case, if you go with the sane option of only considering absolute URLs, then it's exactly how IE works (version 8, at least). If you type "nothingforyoutoseehere", it tries to prepend "http://" and resolve it as such, and if that fails, redirects to the default search engine. But if you type "http://nothingforyoutoseehere", then it tries to resolve it, fails, and displays the usual error page.
Re:Ridiculous (Score:2, Informative)
To me, this would be a legitimate practice PROVIDED that they first ask the user. Ideally, this feature would be off by default, the user would first enable the feature and would then get to choose the search engine that it uses. I'd have no problem with that.
They ask the user when the software is run for the first time you dumb son of a bitch,
Confusing the service with the client... (Score:5, Informative)
Domain hijacking is a huge deal for me.
Your description is confusing the browser trying to resolve your broken DNS request with an ISP hijacking your DNS request.
Primarily, when I'm on an internet connection that's hijacking the domain, if I type 'amazon', firefox first checks if I have an amazon in my searchdomain (ie: amazon.example.com)
No. When you're on an internet connection that's hijacking the domain, amazon resolves to a 'service' provided by your ISP even though it's not a registered domain.
, and if not, it tries adding a .com, then a www. and a .com...
What you mean is that if your ISP's DNS service works correctly and tells you that amazon.com doesn't exist, your web browser (Firefox in this case) has some heuristic for trying other DNS queries in an attempt to help you, and when those queries are exhausted it takes you to a search engine.
if the ISP is hijacking it, I get an answer to 'amazon' with the hijacked page. This means that I have to type the .com every time.
Which is what you should have written first.
So you have to type .com when you mean amazon.com. Yeah, that's like saying that I have to write Plymouth, MA next to 02364 on my address. The postal service is run by people, and usually, they can figure it out, but if the address is wrong, it's your fault, even if they helpfully fix it for you.
with a browser doing the same thing, I could be trying to connect to my primary server (wolverine) and if I mistype the webaddress, it redirects me to bing, changing my URL bar to the bing URL which means that when I've typed 'wolverine/some/really/long/path?with=variables' I have to go type that whole thing over again to correct it rather than just fixing it in the addressbar.
So turn off the feature which searches with the default search engine when your DNS query fails.
If you want to bypass DNS for your machines, put your own entries in your "/etc/hosts file" (%WINDIR%\System32\drivers\etc\hosts on Windows). Also, you can run your own DNS service locally.
so, hijacking the DNS is a BITCH and is totally annoying all the time.
Only if you aren't technically savvy enough to use a web browser. After you type amazon.com in once into IE or Firefox or Chrome these days, the autocompletion helpers from your recent history usually have enough context that shift+enter (in IE anyway, not sure about the others) takes you where you want to go.
The real problem with DNS servers hijacking broken requests is that they lie to network tools, not just web browsers. This can cause serious problems. DNS is used for more than just HTTP.
Re:Ridiculous (Score:5, Informative)
Then Firefox is doing something wrong.
I'm using build 7100, Opera, IE8 (version 8.0.7100.0 - no updates available on Windows Update), Chrome (2.0.172.39) and Firefox.
Going to http://3.se [3.se] (.se domains require a minimum of 3 characters, so this cannot ever resolve) in Opera gives me:
In IE8, Google as default provider gives me http://www.google.com/search?q=3.se&rls=com.microsoft:da&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1 [google.com] which makes sense, as it's searching for the unresolved domain through Google.
Chrome gives me
Firefox 3.5.2 gives me
Safari gives me
In other words, unless you messed up your Firefox install, nothing on Windows 7 makes Firefox (or any other browser) use Bing as a search engine unless you've asked it to. The only reason IE8 even uses Google as the search engine is because I asked it to when I set it up.
None of the browsers have this issue. They all try to resolve http://3.se/ [3.se] and http://www.3.se/ [3.se] but like I said, that domain cannot ever exist as a legitimate domain, so it fails. All the browsers are doing what they've been told to do.
The only thing I can think of, that you may have done to make your Firefox installation use Bing for the searches, is if you asked it to import settings from another browser (IE) which used Bing as its search provider. Are you sure the only thing you did was update Windows and not Firefox? Maybe an update would trigger the question again (I haven't a clue, I don't use it)? Or a fresh install or a misclick somewhere in its settings?
Re:Ridiculous (Score:2, Informative)
No they default to doing it. See browser.fixup.alternate.enable in Firefox which defaults to true. Set it to false and 3.se will just try 3.se and nothing else.
The search is also the default but can be turned off with keyword.enabled false.