Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

[ Create a new account ]

Canadian ISP Hijacking DNS Lookup Errors

Posted by Soulskill on Saturday July 19, @12:18PM
from the both-hands-in-the-cookie-jar dept.
The Internet Networking The Almighty Buck
Freshly Exhumed tips us to news that Canadian ISP Rogers Cable appears to be redirecting invalid DNS requests to their own search and advertising page. Roadrunner got caught doing the same thing earlier this year. According to the article, "The hijacking appears to be an attempt by Rogers to use its Deep Packet Inspection (DPI) technology to cash in on the mistakes of its users." Freshly Exhumed also reminds us, "As IOActive security researcher Dan Kaminsky has warned in the past, this presents a very serious security problem."

Related Stories

[+] RoadRunner Intercepting Domain Typos 337 comments
shaunco writes "Sometime around midnight on February 26th (at least for the SoCal users), TimeWarner's RoadRunner service started intercepting failed DNS requests, redirecting them to RoadRunner's own search and advertising platform. To see if this has been enabled in your area, try visiting {some random string}.com in your Web browser. This feature subverts user preferences set within browsers, which allow the user to select which search engine receives their typos and invalid domains. RoadRunner users can disable this function — or they can just use OpenDNS. Here is an example RoadRunner results page.
Firehose:Canadian ISP Hijacking DNS Lookup Errors by Freshly Exhumed (105597)
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Canadian ISP Hijacking DNS Lookup Errors 25 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.

  • Good Grief (Score:5, Interesting)

    by MightyMartian (840721) on Saturday July 19, @12:20PM (#24254179) Journal

    I know one problem it can cause is for a number of spam tests which look for the message coming from a legitimate domain. When the DNS server says "yup, that resolves" even when there's actually no domain, the test is defeated.

    • Re:Good Grief (Score:5, Informative)

      by PunkOfLinux (870955) <mewshi@mewshi.com> on Saturday July 19, @12:32PM (#24254257) Homepage

      What the hell? Verizon is doing this now, too. Whenever I type in 'slashdot' in firefox, it just takes me to their useless search page, which is getting REALLY old now. I'm getting pretty disgusted now, and they should get it through their thick heads that if they're gonna charge us money for 'net access, they have NO right to make more money off of us by selling ads instead of allowing our browsers to function as expected.

      • Re:Good Grief (Score:5, Informative)

        by Anonymous Coward on Saturday July 19, @12:45PM (#24254343)

        Verizon has been doing this for a while. I read the Terms of Service, Acceptable Use Policy, etc. every time they update it. It's clearly there, disguised as a 'feature' called DNS Assistance.

        However, Verizon does have non-poisoned DNS servers which you can find in their Help pages, along with instructions for changing your machine's settings. http://netservices.verizon.net/portal/link/help/item&objId=23883 [verizon.net]

      • You can "opt out" of the Verizon annoyance by modifying your DNS address by adding "2" to the last octet.

        I've had to do this, and it works. No annoying Verizon snatching my failed DNS lookups!

        Of course, if you try to get this out of their so-called "tech support", they will not know what you're asking for until you manage to get down to tier 2 or 3 or so. Amazing as it sounds, teir-one Verizon Fios tech support will glaze over at the mere mention of DNS, and will stupidly keep trying to get you to do inane things with your browser.

        • Re: (Score:3, Informative)

          by code65536 (302481)

          Unfortunately, this is possible only for their PPPoE users. Customers outside of their northeast service area don't use PPPoE, and it's not possible to change the DNS servers in these non-PPPoE cases with the routers supplied by Verizon. >:(

      • Re:Good Grief (Score:5, Informative)

        by Trailwalker (648636) on Saturday July 19, @05:06PM (#24256403)
        AdBlock gets rid of the Verizon "search" page.

        Clickity, clickity, never see again.

            • Re:Good Grief (Score:4, Informative)

              by Curtman (556920) on Saturday July 19, @05:10PM (#24256427)

              Maybe I don't understand the complaint. <snip> Only a few of us prefer the old 404 error and most want suggestions on where to link to.

              I think the most annoying aspect is how we get used to leaving off the 'www' at the beginning of domains with Firefox, and Firefox adds it in for you if the non-www address fails to resolve. With this DNS hijacking this feature is broken.

  • Well I'll be... (Score:5, Informative)

    by Shabbs (11692) on Saturday July 19, @12:23PM (#24254201)

    This must be brand new. I did a test just now and a bad URL sends you here:

    http://www20.search.rogers.com/search?

    With appropriate variables substituted for what you were typing of course, like this:

    Enter: http://www.rogersblowz.com and you get:

    http://www20.search.rogers.com/search?qo=www.rogersblowz.com&rn=mEelOh0JrKFZejZ

    Let the debate rage on!!!

    • Re:Well I'll be... (Score:5, Interesting)

      by Holmwood (899130) on Saturday July 19, @12:56PM (#24254427)

      Worse than this even. I've been redirected to Rogers Search pages, replete with advertising, for domains that I know exist, and that I know have been entered correctly (e.g. via a bookmark).

      It used to happen a lot with http://ragnartornquist.com/ [ragnartornquist.com] (Tornquist is a senior game designer for Funcom). Granted that's a tough name to spell properly for a North American, but since I'd click on a bookmarked link, or a google page, I was sure it wasn't a problem with my typing.

      What started to give it away as being something at Rogers (rather than my computer infected with malware) was that this was happening on every device I connected to the net -- Lynx on BSD, Safari on Apple, Opera on Maemo, Iceweasel on Ubuntu, and, of course, Firefox/IE/Opera on Windows.

      (Yeah, I have a lot of different OS's sitting around!)

      For a while I then became convinced my router had been compromised, but even switching routers didn't fix it.

      Concluding it was unlikely that five different OSes and myriad different browsers had all been compromised, as well as two different routers, I contacted Rogers.

      They said they were experimenting with "Software Improvements" and that the problem should go away for existing domains.

      Well, using a proxy fixed it for me. But not a pleasant solution.

      Software Improvements.

      And the problem did go away for me at least. But I wonder if anyone else is being redirected to Rogers garbage pages for domains which exist.

      Holmwood.

  • easy solution (Score:4, Informative)

    by FudRucker (866063) on Saturday July 19, @12:24PM (#24254211)
    http://www.opendns.com/ [opendns.com]

    basically it is remove your ISP's dns#s and add these

    208.67.222.222
    208.67.220.220

  • Ignore their servers (Score:5, Informative)

    by surmak (1238244) on Saturday July 19, @12:30PM (#24254245)

    If the ISP is messing with the DNS service, the best thing to do is to use a different service.

    For Linux/Unix users, you can just run a caching-only server on the desktop system, and it will issue its own name requests from the root on down. I've been doing a slightly more complex version of this at home for VPN purposes. (Forward requests to my employer's net to the private internal DNS server (through the VPN), while querying the public internet for all other servers.)

    I don't know it a similar option is available for Windows users w/o shelling out big bucks, but it is technically feasible

    If you cannot run a caching-only server, another option is to use a third-party DNS server. The only problem here is that it would not be automagically configured by DHCP, and would have to be manually set up.

  • What would be the danger... (Score:3, Interesting)

    by Anonymous Coward on Saturday July 19, @12:30PM (#24254247)
    This type of behavior is wrong on so many levels so I wonder what would be the danger of having ICANN police this type of behavior? It seems that ISPs are doing more and more to circumvent "standards" for their own gain. Would it be too much to ask ICANN to come up with a set of rules that ALL ISPs must adhere to or risk losing their netblock? I'm not even sure ICANN would do anything but I'm just posing the question.

  • Fantastic. (Score:4, Insightful)

    by fuzzyfuzzyfungus (1223518) on Saturday July 19, @12:50PM (#24254385)
    Let me guess... They either already have, or soon will in a pitiful pretense of response to criticism, offer some sort of insanely weak opt-out mechanism.

    I'm guessing one of two things:
    Manually configure alternate DNS servers on a per device basis(a la Verizon's current setup, may they be thrice cursed)
    or:
    Something involving cookies, a la Phorm and friends.

    For things like this, opt-out just isn't good enough.

  • PaxFire (Score:5, Insightful)

    by Effugas (2378) * on Saturday July 19, @01:03PM (#24254481) Homepage

    [This is Dan Kaminsky]

    I took a look at what Rogers is doing. They're using PaxFire, who indeed was directly vulnerable to the attacks I described at Toorcon a few months ago. PaxFire fixed their stuff up, but yes, the security of the web at Rogers is limited to the security of those ad servers at PaxFire.

  • Add Insight to the list (Score:4, Insightful)

    by sokoban (142301) on Saturday July 19, @01:14PM (#24254553) Homepage

    I guess the thought with the ISP's nowadays is that "everybody else is doing it, why can't we?"

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2008 SourceForge, Inc.