Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security The Internet IT

New Jersey's Cablevision Hijacks DNS Error Pages 200

Selikoff writes "I just noticed Cablevision's Optimum Online service has begun hijacking DNS Error pages with, you guessed it, ad-supported results. Aside from hurting the underlying stability of the Internet, there have been instances where hackers have used such tools against customers. I know Road Runner customers have had to deal with this for a couple months now, although at least they have an outlet to turn it off." Update: 09/30 13:18 GMT by T : Note, as several readers have pointed out, this hijacking is of DNS errors rather than 404 errors as originally presented.
This discussion has been archived. No new comments can be posted.

New Jersey's Cablevision Hijacks DNS Error Pages

Comments Filter:
  • Give me a break... (Score:5, Informative)

    by geminidomino ( 614729 ) * on Tuesday September 30, 2008 @08:00AM (#25203493) Journal

    Even on slashdot, we have people who don't know a DNS error (and yes, TFA gets it right) from a 404 (which can't be hijacked without modifying the stream itself)

    • Thanks. I saw the summary headline and was pretty confused ;)

    • by elrous0 ( 869638 ) *
      I'm just glad the mob wasn't behind it (if such a thing as "the mob" did, in fact, exist).
    • Rogers in Canada is one who does that, then forges a search page for your convenience (;-))

      Worse, they do the same for many valid .ca and .org sites.

      --dave

  • I was actually scared that they were doing DPI for a minute, then I realized the OP just didn't know what they're talking about.
  • by thetorpedodog ( 750359 ) on Tuesday September 30, 2008 @08:04AM (#25203523) Homepage
    The Cablevision and Road Runner services both only hijack DNS no-such-domain errors, not HTTP 404s. Neither is a good thing, but hijacking DNS is much less insidious than the deep-packet inspection or mandatory proxying required to hijack 404 errors.
    • by Tassach ( 137772 )
      Verizon DSL also hijacks DSN errors.
    • Re: (Score:3, Informative)

      by basscomm ( 122302 )

      Insight Communications in Indiana and Kentucky have been doing this [dslreports.com] for a while now.

    • by mpe ( 36238 )
      The Cablevision and Road Runner services both only hijack DNS no-such-domain errors, not HTTP 404s. Neither is a good thing, but hijacking DNS is much less insidious than the deep-packet inspection or mandatory proxying required to hijack 404 errors.

      The problem is that there is no reason to assume that just because a machine is making a DNS query it intends opening a TCP connection to port 80 (or 443). The people doing this had better have made sure that the machine serving these ads can cope with being b
      • The problem is that there is no reason to assume that just because a machine is making a DNS query it intends opening a TCP connection to port 80 (or 443).

        Even if the hostname starts with www ?

        • by Zakabog ( 603757 )

          The problem is that there is no reason to assume that just because a machine is making a DNS query it intends opening a TCP connection to port 80 (or 443).

          Even if the hostname starts with www ?

          Yes, www doesn't mean anything. Someone might want their mail server to use www.somedomain.com where somedomain.com by itself goes somewhere entirely different.

    • IIRC Verizon Online also did this for a while. i was really upset when instead of a DNS error my browser automatically went to Verizon's (ad supported) search portal. i think i either changed the DNS setting on my router or it just went away. but in any case, i haven't seen it happen in a long time.

      it's absolute BS that ISPs think they can just hijack the users' DNS error page. they already make money from subscription fees, but now they're hijacking subscribers' DNS errors to get ad views/clicks? not only

  • No, they didn't (Score:5, Informative)

    by schon ( 31600 ) on Tuesday September 30, 2008 @08:04AM (#25203527)

    New Jersey's Cablevision Hijacks 404 Error Pages

    No, they didn't.

    If the submitter had read the summary, they would know that it's DNS errors that are being hijacked, not 404s.

    It's an important difference - 404 means that they are transparently proxying your connections, which can cause problems with various sites (and that they are recording every URL you visit.)

    For example: http://slashdot.org/akasjdflkasdjfl;kajsdl;aksdjfkdjkfdjlkjsdf [slashdot.org] would not be affected by this, whereas http://sslashhdot.org/ [sslashhdot.org] would.

    Is it *too* much to ask that a technical news site present technical articles correctly?

    • Re:No, they didn't (Score:5, Insightful)

      by zerocool^ ( 112121 ) on Tuesday September 30, 2008 @08:11AM (#25203597) Homepage Journal

      Right, and while it might seem repulsive to some to have them proxy your web connections, I honestly find it more repulsive to hijack failed DNS queries, because this affects spam. Maybe it's just because I work for a professional email hosting company, but come on now. Failed dns lookup = drop mail as spam. Maybe not as critical because it's an ISP with mostly end users, but what if they're doing this to their small business customers, too?

      ~Wx

      • When Time Warner did the same thing on my connection, they actually returned the RCODE as NXDOMAIN (implying a failure) along with the A records for the advert page. Resolvers which properly/strictly adhere to the RFC would treat the lookup as a failure, which means that for spam purposes this probably wouldn't have caused an issue. My guess is that web browsers aren't quite as concerned with a strict interpretation of the standards, since they want the users to get to the web site they're looking for under

    • by foobsr ( 693224 )
      Is it *too* much to ask that a technical news site present technical articles correctly?

      Then there would be much less news.

      Quote [theinquirer.net]: "ICANN up in arms at Verisign DNS hijacking" (as happened 2003)

      CC.
    • by samkass ( 174571 )

      FiOS has really nice service in most of New Jersey...

    • Re:No, they didn't (Score:5, Insightful)

      by Tim C ( 15259 ) on Tuesday September 30, 2008 @08:24AM (#25203725)

      It's an important difference - 404 means that they are transparently proxying your connections

      And inspecting the packet contents looking for HTTP 404 error code returns, and either modifying the returned HTML to insert their own ads or else (and much, much simpler and more practicable) discarding the rest of the data stream and substituting their own.

      Hijacking DNS errors is wrong; hijacking HTTP 404 returns would be Evil.

    • they would know that it's DNS errors that are being hijacked, not 404s.

      Don't use their terminology. They're not DNS errors, they're a class of DNS responses.

      Calling them errors helps Cablevision support their practices.

  • It's not a 404 page that's getting hijacked. It's DNS resolution failures.

    It's a pretty big difference.

  • What exactly does "Hijacks 404 Error Pages" mean? Does it mean error pages were hijacked 404 times? It certainly does not mean what the headline implied (to me). Even a cursory glance at TFA makes that clear.
    • Re: (Score:3, Informative)

      404 == HTTP error code for "page not found". And the summary's wrong, they're actually hijacking 502 (bad gateway/no such domain) pages, which is a major difference. Hijacking 502s only requires their DNS servers to redirect nonexistent domains to the ad page, while hijacking 404s would require them to sniff every page you visit.

  • Bad Summary (Score:2, Informative)

    by pdragon04 ( 801577 )
    How about the editors actually read the article and correct glaring mistakes for a change? Even before this made it out of the Firehose, there were responses that it was DNS failures and not 404 messages.
  • by MRe_nl ( 306212 ) on Tuesday September 30, 2008 @08:06AM (#25203537)

    The blue screen of russian women 4 U? BSORW4U!
    or
    Buy Vi4GR@ now! By the way: Syntax error.

  • by hakr89 ( 719001 ) <8329650d-c1bd-41 ... 928@f a k u . me> on Tuesday September 30, 2008 @08:06AM (#25203543)

    Don't use your ISP's DNS servers.
    Find another public server or run your own.

    • Re: (Score:2, Informative)

      by Rude Turnip ( 49495 )

      That's a good thought and a viable one. I do the same thing myself. The problem is that my dollars are still going to support the ISP's DNS servers, which still warrants complaint.

    • Doesn't work for everyone... Here on windstream.net they seem to randomly block queries to other nameservers unless you use theirs - unless of course freedns, earthlink and rackspace all went down at the same time when the windstream local DNS would still work - anything is possible I guess.

      They do have the 'opt-out' option although all it does is give a fake IE DNS error page instead - I'm using FireFox so it's obvious...

      The page cannot be displayed
      The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.

      Please try the following:

      * Click the refresh.gif (82 bytes) Refresh button, or try again later.
      * If you typed the page address in the Address bar, make sure that it is spelled correctly.
      * To check your connection settings, click the Tools menu, and then click Internet Options. On the Connections tab, click Settings. The settings should match those provided by your local area network (LAN) administrator or Internet service provider (ISP).
      * See if your Internet connection settings are being detected. You can set Microsoft Windows to examine your network and automatically discover network connection settings (if your network administrator has enabled this setting).
      1. Click the Tools menu, and then click Internet Options.
      2. On the Connections tab, click LAN Settings.
      3. Select Automatically detect settings, and then click OK.
      * Some sites require 128-bit connection security. Click the Help menu and then click About Internet Explorer to determine what strength security you have installed.
      * If you are trying to reach a secure site, make sure your Security settings can support it. Click the Tools menu, and then click Internet Options. On the Advanced tab, scroll to the Security section and check settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT 1.0.
      * Click the Back button to try another link.

      Cannot find server or DNS Error
      Internet Explorer
      [ Manage Opt-In/Out settings ]

      To make matters worse, I'm still getting redirected to search.grandecom.com for other

    • But that would make the summary completely wrong meaning their not hijacking DNS error pages, their just hosting ads instead of error pages IMO this is acceptable if your an end user. OFC if your doing anything that requires a standards complaint web connection then change or ISP (or just your DNS)

  • Corrrect me if i'm wrong but the domain does not exist error page isn't a 404 error right? I thought 404 was the error for when a web server couldn't find the page you requested for it, not for the dns error.

    when i first read TFS I thought, wth? what if i have a custom 404 page on my website?

    I actually had to RTFA to figure out if they were honest to god hijacking web servers 404 pages.

    thankfully it seems they are not.

  • Possible solution? (Score:5, Interesting)

    by Gordonjcp ( 186804 ) on Tuesday September 30, 2008 @08:07AM (#25203559) Homepage

    They're returning adverts for failed DNS lookups, not 404 pages, as others have helpfully pointed out.

    How about a script that hammers suitably random fake domain names continuously (different ones every time)? If the scammers^W advertisers are paying per impression this will majorly hurt their pockets.

    • by hal9000(jr) ( 316943 ) on Tuesday September 30, 2008 @08:16AM (#25203637)
      How about a script that hammers suitably random fake domain names continuously (different ones every time)? If the scammers^W advertisers are paying per impression this will majorly hurt their pockets.

      Wouldn't that actually help. The impression revenue is probably tied to ad's that are *presented*. If you simply did a bunch of look-ups on fake names, all you would get are A records to the ad page. You would then have hit the web server, download the page and any elements. Then the advertisers would be paying per impression.
    • by Piranhaa ( 672441 ) on Tuesday September 30, 2008 @08:30AM (#25203781)

      As much as I hate dns being hijacked (I don't have the issue as I run my own), I'm sure these ISPs view it in a different light. Their argument will be that it's a 'feature' rather than being intrusive on people's browsing: "Helping our customers get to the proper website" or that it helps keep the price of the internet service low so you don't have to pay as much per month. Also, if you start hammering this, I'm sure a flag will rise (if they're at least half smart) and they'll send a nice email out to you stating that you're abusing your service, yada yada..

      Not that any of this is a good thing, but you gotta see it from another prospective...

      • Re: (Score:3, Interesting)

        by halcyon1234 ( 834388 )

        That's the great thing about DNS servers-- just like a customer of the ISP doesn't need to use the ISP-provided servers, you don't need to a customer of the ISP to use the ISP provided servers.

        The OP can still use their plan to hammer the servers without violating their terms of service. Just get a bunch of non-customers to switch their DNS to EvilCorp. Write a script to throw out DNS-error requests. Scoop up all the ad-crap that sluices down the tubes, and poison the results. Once you have all the data you

  • by profet ( 263203 ) on Tuesday September 30, 2008 @08:08AM (#25203573)
    • Anyone know if this opt-out is cookie-based? If so, it's useless for non-browser DNS lookups. And annoying for multiple-browser situations. (Sometimes I feel like running FF, sometimes I feel like Opera. Sometimes, I get a wild hare and feel like running Konqueror. If opt-out is a cookie, I'd have to opt out three times. And when I flush cookies, I'll have to opt out again. And it still won't help for DNS-based non-web session authentication, such as SMTP inbound verification of HELO addresses.)
      • I'm a little fuzzy on how opt-out can be cookie based.

        When your web browser does the DNS lookup for "nosuch.domain.com", it asks the OS, and the OS does the lookup. If the DNS server you are using returns a "hijacked" result, how can a browser cookie (that isn't sent until the HTTP request is sent) make a difference?

        I can see that the resulting hijack server could use the cookie to know you don't want to see the ad-covered web page, but how does it get back into a "host not found" error that isn't complete

        • You still send the request to the search server, the cookie just instructs it to send you to a page that looks like IE's "The page could not be displayed" error. It's not really opting out, it's just not showing you their ads. Anything that doesn't go through the browser is still broken.

  • We started seeing this with Charter in the midwest. Not the 404 errors, but with invalid domain names. The biggest problem for us has been with our VPN software. When our employees are working from home, Charter always returns a valid IP for our internal DNS zones so the DNS lookups are never forwarded over the VPN.

    I hope their additional advertising revenue makes up for the lost customers.

    • by carambola5 ( 456983 ) on Tuesday September 30, 2008 @09:30AM (#25204351) Homepage

      A laughable example of how poorly implemented the Charter DNS error is:

      http://flickr.com/photos/listrophy/2194252038/ [flickr.com]

      Things to note:

      • This is an image of the opt-out result.
      • The browser running is Flock on OS X.
      • The result is a fake IE DNS error page with a "Manage Opt-in/Out Settings" link appended.
      • Charter was too lazy to even fix the image src attributes. (they point to res://...)
      • It's not a true opt-out, because it still returns a 200 OK rather than a DNS Lookup error.

      For this and many other things, I have since stopped using Charter. My soul feels so much cleaner now that I'm not giving them money.

      • by Aardpig ( 622459 )
        I had problems with Charter, too; not only were they returning bogus responses for non-existent domain requests, their DNS servers are slow as fuck. So I set up my own caching server, which works fine.
      • Presumably on a PC with Internet Explorer, it looks just like the regular page does, which makes me wonder why they'd even bother to do it in the first place. I don't see any ads nor any information that's any more helpful than the default error page for IE.

        Did they only do that specifically so that it would screw up DNS lookups? For laughs? Were they bored one day?

  • OpenDNS does this (Score:3, Interesting)

    by fprintf ( 82740 ) on Tuesday September 30, 2008 @08:19AM (#25203659) Journal

    I just redirected my DNS queries to OpenDNS, mostly because of the content/phishing filtering they offer but also some of the statistics on my connection. They make their money, or propose to, by doing this very thing... redirecting Domain Not Found error messages to ad supported pages.

    • Re: (Score:3, Interesting)

      They make their money, or propose to, by doing this very thing... redirecting Domain Not Found error messages to ad supported pages.

      If that's the case then, regardless of how ethical or up-front they may be about it, then they are unsuitable for certain uses. Ran into this when earthlink started doing this crap and I was running a dnsbl for my own mail server, with forwarding set to one of ELN's DNS servers. Suddenly nothing came through. It was because everything was coming back as a hit.

    • A crucial difference is that OpenDNS is opt-in, whereas when an ISP does it, it becomes an opt-out situation (or, more likely, a "deal with it" situation).

      OpenDNS provides a service (robust lookup, filtering, etc.), with a well-established downside (ads on DNS lookup errors). If you like the deal, you can use OpenDNS. If you don't like the deal (e.g. you rely on proper DNS failures), then you don't use it.

      The real problem occurs when all the default DNS servers do ad-redirecting. Then it will become impossi

    • Comment removed based on user account deletion
  • The DNS error hijacking, that is. I was going to consider switching to Charter, but I see someone has posted that they've started doing this as well.

    Are there any free DNS services out there that happily return valid results instead of redirecting you?

  • I love /. (Score:5, Funny)

    by elrous0 ( 869638 ) * on Tuesday September 30, 2008 @08:31AM (#25203805)
    I love it when an editor or story writer makes a technical error on /. You can actually hear the simultaneous erections of a thousand anal-retentive techies, each typing as fast as they can without even bothering to check if their fellow anal-retentives hadn't already pointed the same thing out in dozens of posts. It's the best sexual gratification most of them are going to get all day.
    • Second best. First would have to go to the 'Frist P0st' that actually manages to be first!

    • Re: (Score:3, Funny)

      by deander2 ( 26173 ) *

      and i love the smell of condescension and self-righteousness in the morning...

    • You can actually hear the simultaneous erections

      If erections actually made a sound, I guess this world would be completely different!

    • It's the best sexual gratification most of them are going to get all year.

      Sigh... at least three months before my next one.

  • by InspectorxGadget ( 1230170 ) on Tuesday September 30, 2008 @08:32AM (#25203813)
    Hey, let's not be too quick to judge here. Sometimes I do look for sex entertainment phentermine college click here now rolex and I'm glad at least one ISP understands that.
  • Comment removed (Score:3, Informative)

    by account_deleted ( 4530225 ) on Tuesday September 30, 2008 @08:36AM (#25203855)
    Comment removed based on user account deletion
    • Re: (Score:3, Insightful)

      by IBBoard ( 1128019 )

      Yes, incredibly easy to solve your ISP hijacking failed DNS lookups by switching to a service that (by default) supports itself by hijacking failed DNS lookups ;)

      OpenDNS have (or at least used to have) a way of tagging your account as "don't show me the adverts and give me a proper response" but it is associated with an IP address.

      Every time we turn our router off for the night we get a new IP because the lease expires. As I run a Linux box I can't use their Mac or Windows "update your IP from the client" a

    • >However this does not solve it for less technical people as they would have no idea what is going on

      That's ironic beause opendns does exactly what you are decrying, yet geeks recommend it all the time. Nor does "open" dns publish open source code of their dns server or anything else.

      In other words: Marketing works. I'm naming my next project OpenSpyware. Please recommend it to your friends like you do opendns.

  • How can this hurt the underlying stability of the internet??

    Aside from hurting the underlying stability of the Internet, there have been instances where hackers have used such tools against customers.

    Yet the page linked in the above statement just details how a security researcher came up with a proof of concept that was specific to a different companies implementation of the same idea.

    • by guruevi ( 827432 ) on Tuesday September 30, 2008 @08:57AM (#25204071)

      Quite simple: run a mailserver, then use these type of DNS servers. In a few days, you'll have so much mail that doesn't get accepted by xxx.xxx.xxx.xxx (your provider's DNS) that it might fill your storage. Then 7 days later (instead of a few hours later) the e-mail gets sent back with the message that the other server doesn't accept the mail (instead of saying that the domain doesn't exist) after being retried hundreds of times eating up valuable bandwidth and processing time. Then if your end-user isn't smart enough, he'll retry sending it, not noticing he has a typo in his address book, because after all, the other e-mail server DOES exist.

      • Re: (Score:3, Informative)

        by nabsltd ( 1313397 )

        And, the reverse that others have mentioned.

        If you use a DNS blocking list (DNSBL) for e-mail, you will stop receiving any e-mail, because every lookup will always return a "found", and DNSBLs work by returning NXDOMAIN if the site isn't listed, and returning an IP address if it is.

  • dnsmasq [thekelleys.org.uk] has an option to reverse the effect of this sort of thing.

    It runs nicely on OpenWRT [wikipedia.org].

    Or you could use maradns instead, and avoid all present and future problems with your ISP's caching DNS servers..

  • So? And?

    My employer's ISP (that is - the one that provides service to our office, as opposed to that which has our telehoused machines), a company called Tiscali do this.

    This is fairly ironic. We're a domain registry, and we make most of our income on non-existent DNS names, via simple parking pages. You do understand parking don't you?

    Dot TK - Renaming the Internet

  • Rogers Cable (Score:3, Informative)

    by Naito ( 667851 ) on Tuesday September 30, 2008 @09:08AM (#25204157)
    Rogers Cable high-speed internet has been doing that for the past couple months now too. URL typos get redirected to their own search.rogers.yahoo.com or something like that, disabling toolbar search functions in browsers.

    The kicker is that I also think they're actively blocking access to other search engines periodically in order to increase usage of their own. www.Google.com will sometimes time-out while trying to load, but works fine when accessed through Dogpile meta-search.

    Since I've moved off of Rogers already, I can't do more experiments to test, but if anyone else is on it, I suggest you keep an eye out.
    • by davecb ( 6526 ) *

      They're also blocking access to large numbers of .org and .ca sites, including the .ca site of my local member of parliament.

      What was particularly annoying is that they set the tab title to the title from her home page ("Martha: It's Time") and then reported that the page was inaccessible.

      That was the tipoff: the sites can be looked up in their own DNS, so one can do that and and connect to then by IP address

      That in turn makes it look like they're doing it based on a buggy rule system.

      --dave

  • Easy solution, use OpenDNS.
    Oh wait, they also do that.

    • by SkyDude ( 919251 )

      Easy solution, use OpenDNS. Oh wait, they also do that.

      Yes they do, but it's the user's choice to see the ads and in exchange, get a damn reliable DNS.

      I thought by now the concept of internet==$0.00 was over but I guess not.

      • by MadJo ( 674225 )

        You misunderstand me...
        I use OpenDNS as well. I merely commented on it, that there are more products out there that use that same technique. I don't see what the problem is in this case.

        • by SkyDude ( 919251 )
          And I was commenting on the gist of the article as if intercepting pages is a problem. It's not, in my mind.

          My point is that there's only so many dollars out there, and a lot of entities trying to capture them.

          Of course, the best part of OpenDNS is allowing users to upload their own image to display when encountering a blocked site or an error. I put my mother-in-law's image there and it's a doozy.

  • Hi,

    i think this is the third story on an ISP catching DNS errors :-(. Even the follow-ups seem to be similar.

    Personally, my only surprise was when i learned how much money an ISP can make by selling Ads on error landing pages.

    Regards, Martin

  • I know that my DSL provider, Cavalier Telephone [cavtel.com] has been doing this for years. I called their technical support, and of course they had no idea what I was talking about. After emailing one of their tech guys, they suggested I set my computer to use someone else's DNS. IMHO, this is a network neutrality violation and the FCC should be investigating this. I said that much in my thank-you letter for their ruling against Comcast.

    It would not surprise me to find out that this is becoming the norm, rather tha

  • I had this happen once. I use my own DNS server, but I had just moved and was trying to get my new connection up and running. I had typo'd a few things and it kept taking me to these type of adpages. It certainly put me in a bit of a panic thinking I had somehow picked up a browser hijack (very disturbing since the initial box I noticed it on was a Linux box). After some tinkering I realized that all of the typos were resolving to the same IP and only when my ISPs DNS servers were involved.

    I am actual
  • they first couple of levels of support people in these ISP's do not know networking is and/or are forced to read from scripts. It can take hours to get to the level of support where they not only know what you are talking about but can also throw the switch to turn off the DNS hijacking.

    So having a switch is still not easy when you can't just go to your settings page and turn it off yourself.

    LoB

  • Earthlink also uses a DNS error spam page rather than a real DNS not found error. Very, very lame.

    They do have a (little known) method for bypassing this, details here:

    http://kb.earthlink.net/case.asp?article=187117 [earthlink.net]

    Basically they give you the IP of a non-fucked DNS server, which you can then program into your router, computer etc.

  • I have road runner service and would really like to turn those damn pages off. Any tips on how to do so would be much appreciated.
  • Verizon (now FairPoint Communications in these parts) does it too. http://wwwwz.websearch.verizon.net/search?qo=blahblahblah&rn=S6ORMW8T2m7rGJi&rg= [verizon.net] That's where you end up if you try to go to an invalid domain name. (Replace 'blahblahblah' with whatever)

You are always doing something marginal when the boss drops by your desk.

Working...