Bell Starts Hijacking NX Domain Queries 310
inject_hotmail.com writes "Bell Canada started hijacking non-existent domains (in the same manner as Rogers), redirecting NX-response queries to themselves, of course. Before opting-out, you get their wonderfully self-promoting and self-serving search page. When you 'opt-out,' your browser receives a cookie (isn't that nice) that tells them that you don't want the search page. It will still use their broken DNS server's non-NX response, but it will show a 'Domain Not Found' mock-up page that they (I surmise) tailor to your browser-agent string. During the opt-out process, they claim to be interested in feedback, but provide no method on that page (or any other page within the 'domainnotfound.ca' site) to contact them with complaints. They note that opting-in is 'recommended' (!), and that 'In order for opt-out to work properly, you need to accept a "cookie" indicating that you have opted out of this service. If you use a program that removes cookies, you will have to repeat this opt-out process when the cookie is deleted. The cookie placed on your computer will contain the site name: "www.domainnotfound.ca."' Unfortunately most Bell Internet users won't understand the difference between their true NX domain response, and Bell's injected NX response."
Well, that's the bad old bell... (Score:4, Interesting)
Re: (Score:2)
Two points:
1) You will wait. A very long time.
2) When the waiting is over, nothing will happen. Rogers has been running this annoying crap for months and nothing's happened
To anyone annoyed at this from rogers or bell, point your dns to opendns, the rogers (at least) name servers suck balls anyways.
Re: (Score:2)
I did write a letter to the CRTC about Rogers' practices, and CC'd Rogers. If enough people do it, they'll do something about it... When I called Rogers to complain, they suggested I use OpenDNS, but OpenDNS does the same thing. Does anybody know a free/open DNS server that doesn't do that kind of crap?
*sighs* for now, I've taken some clock cycles on my internal fileserver, and set up a DNS server. Not happy with Rogers at all. But don't have any alternatives where I live.
Re: (Score:3, Informative)
Here are some. [pahing.com] I don't know which ones hijack NX responses, but the 4.2.2.x entries seem reliable.
Re:Well, that's the bad old bell... (Score:5, Informative)
Not happy with Rogers at all. But don't have any alternatives where I live.
If you're on Rogers, use 64.71.255.202 as a DNS server. It's the non-hijacking server they set up after many users complained the re-directing was buggering up remote workers and VPN users.
It won't be pushed out through DHCP, but it works fine as a static setting.
Re: (Score:3, Informative)
At least OpenDNS is clueful enough to filter out BS like the following:
http://www.domainnotfound.ca/bellassist/dnsassist/content/ErrorPage/_iceUrlFlag=15?_IceUrl=true&q=www.non-existent-domain.com-INSERT-MALWARE-HERE%3CSCRIPT%3E [domainnotfound.ca]
From a typical web surfer's point of view (Score:2, Funny)
These pages are helpful for the typical web surfer. In fact, an automatic URL "fixing" service would be one of those revolutionary Web 2.0 features that exists in the recesses of the web, part of the infrastructure and totally natural to use.
Yes, it breaks some scripts and runs contrary to published standards, but it presents a new (actually pretty old) conception of how the web should work.
Re:From a typical web surfer's point of view (Score:5, Insightful)
Massive Typosquatting (Score:4, Interesting)
Many people don't realize that there's TONS of traffic going to typo domains (whether registered or not). For instance, youtuve.com (notice the v instead of the b) got 347,852 visitors over the last 31 days. It redirects to another domain for cloaking purposes, but here is the traffic report [sedo.com]. This level of traffic provides the financial incentive to implement these DNS schemes.
By the way, there's a new, free typosquatting [aliasencore.com] scan tool at aliasencore.com. It shows you all the registered
Full disclosure: I am Graham MacRobie, the CEO of Alias Encore, Inc. We help companies recover cybersquatting domain names, but we focus solely on "slam-dunk" typosquatting cases (obviously only registered domain names). I can speak from personal experience in this field that the very last thing we need is wholesale typosquatting at the DNS level. Bell Canada should turn this "feature" off immediately.
Re: (Score:2)
There's an easy solution for that. When I want to visit slashdot, I type in:
http://216.34.181.48/"
Or google:
http://74.125.95.103
or, if that's too slow:
http://74.125.95.105
Is that too hard to remember?
OK, kidding aside, I agree - The DNS system's a mess. I'd like to see something where typo-trolls could be shut down, but that's not simple. Without writing a thesis on the subject here, it's pretty damned complicated. But, stopping DNS-folks from parking on domains is simple as long as we (regionally) rule on whether or not they're allowed. Right now, they are. T
Re: (Score:3, Insightful)
DNS doctoring is bad for many reason.
Just because a domain exists doesn't mean it's the one you wanted. Think of all those properly registered phishing sites out there, just waiting for a user typo. What's the difference between them and a DNS search redirect? If anything, this highlights the broken behavior of using the (non-)existence of a domain name for anything useful. You really care about whether you got the RIGHT site, not just *a* site.
Oh, I see... so then Bell can decide for me whether I'm about to see the "right" site? Yeah, that WOULD be helpful. Thankfully it will be easy to agree on what's the "right" and "wrong" sites. No problem there.
[/sarcasm]
Re:And yet I don't see it (Score:5, Informative)
. So whether or not the DNS server returns the proper error message or resolves to a site is *meaningless* for any piece of software to rely on.
Just like a server that inherently trusts the client is broken, so is any software that makes assumptions about a remote site just because it exists.
Knowing whether a site exists can still provide useful information for a wide variety of uses. Nobody is using the existence of a server as a form of authentication, okay? We have other mechanisms for verifying the identity of a site, when such identification is important. As the simplest example of how this screws things up, having a valid NX response versus a made up lie of a response will make the difference between an app failing immediately because the NX response says the server doesn't exist, versus waiting and eventually timing out trying to connect to a server that doesn't exist, but the app doesn't know it's because the server is slow, or the service is down, or the packet filter rules are eating your packets.
Just because you don't know or understand how this breaks things doesn't mean it isn't broken.
The behavior of identifying typosquatters and directing the user to the site they intended is properly implemented in the web browser. Not by fucking up one of the fundamental protocols of the internet. The web isn't the internet. And this behavior is broken even for the web.
Re: (Score:3, Informative)
That's fine, but whether or not it's helpful for the typical Web surfer is completely irrelevant.
It's a clear example of a layering violation. If you want URL fixing, great, but do it in the browser, don't hijack DNS which other services depend on.
As far as I am concerned, it is really is clear cut that this shouldn't be happening!
Re:From a typical web surfer's point of view (Score:5, Informative)
I added a stub section to an article on wikipedia about this a while ago, it would be great if someone would lengthen it
http://en.wikipedia.org/wiki/DNS_hijacking#Use_by_ISPs [wikipedia.org]
browser task? (Score:2)
Browsers can take care of this quite well!
I think they mostly do.
Or put otherwise, this is a pretty heavy solution to the problem, if the problem is what it is to solve -- unlikely.
Stephan
Re:browser task? (Score:4, Interesting)
if the problem is what it is to solve -- unlikely.
Unlikely indeed. A simple search on that site for "Test" turns up many results. Several of them have notes like this next to them: "Sponsored by: www.momshomeroom.com/msn ", and "Sponsored by: www.Tests.com "
Looks like helping the customer is a secondary concern after all.
Re:From a typical web surfer's point of view (Score:5, Insightful)
These pages are helpful for the typical web surfer
How is that? By encouraging them to use a search engine with which they are unfamiliar, or by leading them away from their intended target with advertising. Look at the Sample Page [domainnotfound.ca] again, and explain to me the utility in that crap. Domain errors should ideally result in a big red "X" so the user knows to turn around and try again.
In fact, an automatic URL "fixing" service would be one of those revolutionary Web 2.0 features that exists in the recesses of the web, part of the infrastructure and totally natural to use.
Now this is an interesting idea. Let me tell you the best way to handle this - on the client side, after the proper DNS opportunities have been exhausted. This is because the client best knows the users browsing proclivities (most often viewed pages, favorite search engines, etc).
Re: (Score:2)
This is because the client best knows the users browsing proclivities (most often viewed pages, favorite search engines, etc).
Nowadays I have a horrid suspicion that the server knows the user's browsing proclivities better than the client.
Re:From a typical web surfer's point of view (Score:5, Insightful)
Re: (Score:3, Interesting)
Bell makes a habit of screwing up other services. If you're not requesting data on port 80, preferably from one of their servers, then you are just causing trouble.
Way back when Bell Sympatico was first introducing ADSL I signed up for it and stuck with them for a few years. I put up with things like their spam-friendly mail servers, even going so far as to point out how their broken use of the VRFY command was exposing customer account numbers to the world and demonstrated how their POP3 server allowed
Re:From a typical web surfer's point of view (Score:5, Informative)
The web is an incredibly huge piece of the internet.
Please tell us about these 65,000 other services that need a properly functioning DNS. Since the only protocol affected here is HTTP, and the only applications that use invalid URLs are either human-driven (browsers) or malware, I suggest that the NX response is fundamentally outdated and useless.
Not true. The DNS doesn't know if the thing making a request is a web browser or something else, so it affects literally every protocol. SMTP, POP3, SMB, everything. Only now, when you try to debug something like that it looks like the server does exist, it's just ignoring SMTP connections. You spend ages barking up completely the wrong tree.
Even more fun is if the person affected is trying to work from home over a VPN link. If it's set up for split tunnelling, it'll try to resolve a hostname using the default DNS first and only if that fails will it try the VPN. Hint: Windows uses DNS to resolve hostnames for fileshares. All of a sudden, internalhost.yourcompany.com resolves on the public internet and they're trying to save their files to a server that's run by their ISP (and, naturally, isn't offering any SMB fileshares). Cue a bunch of angry calls to the helpdesk.
Re:From a typical web surfer's point of view (Score:5, Funny)
A really douchy, I mean helpful, move by Bell would be to have every conceivable service running on the machine these DNS queries are redirected to, that would be configured to somehow convey the fact that the queried server doesn't exist, and possibly to display some ads. Like if a person tries to check for their email from IMAP the server would blindly accept any login credentials and return a mailbox with one mail with the subject "Invalid domain" and some adverts as contents. An SMB share would have folders named "Invalid" and "Domain". The possibilities are endless. Think of how convenient and helpful this would be.
Re: (Score:3, Interesting)
While not many folk are running SMTP servers on a cable connection these days, as blacklists will stop lots of their mail, a very large number of users will have client side anti-spam software.
One thing anti-spam software will often do is check the sending domain actually exists. Of course with this change, every domain suddenly exists and you have one less test available in scoring spam.
Re:From a typical web surfer's point of view (Score:4, Informative)
No, every protocol directed at an address obtained by DNS is affected.
Re: (Score:3, Insightful)
How is the only protocol affected HTTP? When a DNS query is made, it doesn't state what it's for -- regardless of the protocol to come, the DNS query is the same. Yet when an NX should be returned, a valid but incorrect response is returned. This is quite a significant difference.
Re: (Score:2)
Here, let me explain it in terms you should understand. Imagine that you get lost while driving. You should have reached your destination, but you're not sure, so you ask a passerby. "Is this 417 Pine Stre
Re:From a typical web surfer's point of view (Score:5, Informative)
The web is an incredibly huge piece of the internet.
Please tell us about these 65,000 other services that need a properly functioning DNS. Since the only protocol affected here is HTTP, and the only applications that use invalid URLs are either human-driven (browsers) or malware, I suggest that the NX response is fundamentally outdated and useless.
Wow, you are one clueless user. Please don't put fingers to keyboard and start talking authoritatively when you clearly know absolutely nothing about the subject or the problem at hand. Think before you type, next time.
Maybe you've heard of a little thing called "email?" It pretty much takes a huge chunk bandwidth on the net (mostly spam, granted), and then we have P2P stuff, which takes up the bulk of bandwidth I believe - far, far exceeding the HTTP protocol. These are just two of the services that are affected by it, and both exceed web traffic by significant margins. The web bandwidth is indeed a tiny fraction compared to everything else... just because web surfing dominates your life does not make it the dominate service on the internet.
The NX response is everything. It's the foundation of the entire domain resolution system. Saying it's outdated is absolutely and patently ludicrous. There are two proper responses that drive the entire internet, the return of a valid IP address and an NX response. When you start screwing with either one of those, you break the internet. Outdated indeed.
Re: (Score:3, Funny)
C:\>cat /etc/services
'cat' is not recognized as an internal or external command,
operable program or batch file.
Crap! Bell's hijacking has already screwed something up.
Re: (Score:3, Interesting)
It also breaks functionality of if basic programs. For example we have a lot of people that use Outlook Anywhere, and it will be broken by this. By default, it checks for the internal server first, and when it can't find it, it then jumps to Outlook Anywhere. Except now it gets a response for the internal server, and then waits forever for a timeout. So now we'll have even more people calling us asking why they can't get their email when they could before. We already have a list of 10 or so ISPs that w
Re: (Score:2)
Some browsers do attempt to "fix" URLs. These services break those features, since the domain is always resolved properly as far as the browser is concerned.
Re:From a typical web surfer's point of view (Score:5, Informative)
These pages are helpful for the typical web surfer.
Do you work in marketing?
Clue: DNS stands for "Domain Name Service", not "Targeted Advertisement Injection". The "typical web surfer" already has a tool that is responsible for handling unresolvable addresses, it's built into the browser. If you want more help, suggestions for typo fixing, etc. then the browser is the proper location.
There are client programs out there that rely on getting proper DNS responses, including correct "domain not found" replies when the domain does not exist.
Yes, it breaks some scripts and runs contrary to published standards, but it presents a new (actually pretty old) conception of how the web should work.
No, it doesn't. And running contrary to published standards isn't a minor offense. They're called standards for a reason, and client-side programs expect a certain behaviour. Breaking that means breaking customers' software. And no, the web should not work this way. If you want to get a search page on DNS error, a Firefox plugin would be the proper approach, not DNS manipulation.
What this is is the equivalent of your phone company hijacking every call with a mistyped phone number to a toll line with a "helpful" operator that helps you guess the correct number. The only difference is the payment method.
Thank god I don't work there anymore (Score:5, Insightful)
Happens in Germany too.. (Score:5, Interesting)
The Deutsche Telekom / T-Online does exactly the same in Germany.
Re: (Score:2, Informative)
But compared to Bell you can switch the behaviour permanently off in your User Control Panel of T-Online. No weird cookies are required...
Re: (Score:3, Informative)
Re: (Score:2)
Does the Taco add on work here? (Score:5, Interesting)
Re: (Score:3, Insightful)
It does not work for every non-browser application that uses DNS.
If true, a SERIOUSLY broken opt-out... (Score:5, Insightful)
If this is a true description of the opt-out, it is SERIOUSLY broken.
Simply put, any opt-out mechanism MUST enable the user's computer to properly receive an NXDOMAIN response. Because the problem is NOT the advertising web page on a web browser typo for http, but all the other things that do DNS lookups.
For example, NXDOMAIN wildcarding even snagged and confused Dark Tangent [defcon.org] into thinking that someone was trying to MitM the Defcon forums!
I can accept an ISP doing this only under the following conditions:
a) The opt-out is a one-click item on the page
b) The opt-out is perminent and for all connected through that IP/customer link
c) The opt-out is a real opt-out which will cause NXDOMAIN responses to be properly returned as NXDOMAIN.
This clearly fails B and C.
Re:If true, a SERIOUSLY broken opt-out... (Score:5, Funny)
b) The opt-out is perminent and for all connected through that IP/customer link
But then, how will the user re-enable the service when they start missing those targeted advertisements?
Re: (Score:2)
I would say *whoosh*, but the joke went so far over your head as to be inaudible.
Re: (Score:2)
It sucks that a provider's DNS is broken. Still, you can run your own caching DNS server and forward your requests to servers that work.
Re:If true, a SERIOUSLY broken opt-out... (Score:4, Insightful)
I'm not sure how an opt out that uses cookies is supposed to work. My mail client, for example, does a DNS lookup for smtp.domainwithtypoinname.com. The resolver on my machine sends a UDP packet containing the DNS request to the DNS cache. The DNS cache replies with NXDOMAIN. The function called by my mail client returns failure. How does the DNS cache get hold of the cookie to know that it should return the real NXDOMAIN?
Hopefully the root servers will start using DNSSec soon, so the resolver can just flag these and the libc functions can return the same kind of failure as they would for an NXDOMAIN reply.
Re:If true, a SERIOUSLY broken opt-out... (Score:4, Insightful)
The doofuses behind this are unaware of the existence of any software other than a browser that uses DNS. They would tell you that DNS is part of the Web.
Re: (Score:2)
This puts itself exactly like the whole "Phorm" debacle... Where in order to have things work the way they should, you have to remember to "opt-out" any time you are using a different computer, or clear your cookies, or whatever.. however, it doesn't actually opt you out of anything, it just changes what you see.. (the Phorm debacle didn't opt you out of tracking everything you do with deep packet inspection, it just opted you out of seeing the ads tailored to you!).
This is the same thing..
Opt out should op
Re: (Score:2)
Yeah, and good luck making your SMTP server (or any other IP service other than HTTP agents) understand cookies!
-dZ.
Re: (Score:2)
A small question.
Can an NXDOMAIN response include additional info? If so could this be used to send a message such as "No such domain, use this search page"? If not would adding this be a problem?
It seems that a solution that could return a correct NXDOMAIN response and suggest an alternative action would satisfy everyone's requirements.
Embarq (Score:2)
Embarq does the same thing with their DSL:
http://search.embarq.com/index.php?origURL=http://lkwkerwer.com/ [embarq.com]
Detect and fix DNS hijacks locally? (Score:4, Interesting)
Is there any way a local caching name server can detect this brokenness and return the right answer? I seem to remember some bind configs a few years back that would do that but I'm not sure if they would still work.
Or maybe a firefox plugin could detect this damage and restore the original, correct behavior somehow.
Re: (Score:2)
Re: (Score:2)
You could set up your own caching DNS server and have it bypass your ISP altogether, instead drilling down the DNS from the DNS root servers.
DNS is fairly easy to detect so it wouldn't be too hard to set up an invisible proxy, but most ISPs won't go to these kind of lengths.
Re: (Score:2)
Bingo.
Re: (Score:2)
You could set up your own caching DNS server and have it bypass your ISP altogether, instead drilling down the DNS from the DNS root servers.
Here is another useful thing you can do with your own server... because you probably have a large home lan, you can also set up the "caching" server to be authoritative for a tld like .home
So, now you can get to all your machines on the lan by pinging sshing httping something.home
You can also experiment with dynamic DNS updating the .home tld.
I would advise staying away from a tld like .local, that messes up the bonjour protocol or multicast DNS or whatever its called.
Re:Detect and fix DNS hijacks locally? (Score:5, Informative)
Re: (Score:2)
I don't have mod points, so let me just say this:
Mod Parent Up!
Re: (Score:2)
Awesome :)
Someone mod this guy +1 Informative!
Waiting for DNSSEC... (Score:5, Informative)
Isn't this sort of forgery exactly what DNSSEC is supposed to prevent?
(And no, don't go suggesting DNSCurve. It doesn't protect against your ISPs caching resolver being malicious like this.)
Misconfiguration, not forgery. (Score:3, Interesting)
There's no forgery. You are connecting to their server just as you intended to and it is giving exactly the response they configured it go give. However, that response is not the one specified by the RFC.
OpenDNS & IPv6 (Score:2)
Using other services like OpenDNS is a certainly one way to go, but last time I checked they had issues when it came to IPv6. Does anyone know any IPv6 friendly open DNS servers?
Re:OpenDNS & IPv6 (Score:5, Informative)
I have Charter, and they do the same thing . I just use 4.2.2.1 and 4.2.2.2 as my primary DNS servers. Although, I can't really speak to their IPv6 capability.
Re: (Score:2)
I have Charter, and they do the same thing . I just use 4.2.2.1 and 4.2.2.2 as my primary DNS servers. Although, I can't really speak to their IPv6 capability.
OpenNIC [opennicproject.org] offers IPv6 DNS resolution services on some of their servers.
Ignorance is Bell's best friend. (Score:2, Funny)
Bell's current business model pretty much relies on people not caring about the shit they pull.
It's sort of interesting (or infuriating depending if I'm trying to use the internet..). My new ISP makes it no secret they hate everything Bell does. I think that largely has to do with them leasing their lines from Bell, and having their service screwed up when Bell does things of this nature. I imagine I'll be getting an email from my ISP soon telling me who to complain to about the service getting buggered yet
Re: (Score:2)
Cookie? (Score:3, Interesting)
How is this cookie supposed to work for lookups from apps other than a web browser?
It's not... (Score:3, Interesting)
This...
When you "opt-out", your browser receives a cookie (isn't that nice) that tells them that you don't want the search page. It will still use their broken DNS server's non-NX response, but it will show a 'Domain Not Found' mock-up page that they (I surmise) tailor to your browser-agent string. ...is just ****ing unacceptable. That's not ****ing opting out.
Re: (Score:2)
It isn't. Clearly Bell don't consider themselves an ISP any more, they consider themselves a WSP. (Web Service Provider).
Re: (Score:2)
I see that you are not a Bell customer. They don't follow the simple "You pay us, we provide a service" model which you have come to expect from other ISPs, but they are half way there.
OpenNIC does none of this silliness (Score:2)
OpenNIC [opennicproject.org] offers free, open, and democratic domain name services. No redirects like your favorite ISP or OpenDNS (and to think these used to be the "good" guys back in the days of everydns.net). All ICANN domains, plus a good helping of alternate roots (including OpenNIC) as a bonus. The OpenNIC DNS network is slowly building, with servers around the world
Using your ISP's name servers is so passe. They'd like the masses to think that's the only choice.
Legal? (Score:2, Interesting)
Re:Legal? (Score:5, Informative)
Feedback form (Score:2, Informative)
https://www.bell.ca/support/PrsCSrvInt_CtUs_Eform.page [www.bell.ca]
At least their search page suggest s a solution (Score:5, Funny)
The first hit for me is the wonderful errornerd.com, which can fix these errors if you download their registry utility [errornerd.com].
They can even fix a host of other errors, even 404s [errornerd.com] and errornerd.com is a fraud [errornerd.com] errors.
So f**king annoying (Score:2)
I spent June in Toronto and Ottawa with friends and my family, all of whom have internet service provided by Rogers. Now I have a bunch of type-o URLs in FF's history when I'm typing the in the address bar. Anybody in the province who can get DSL should go to Teksavvy where you'll get good service and none of this crap.
Net Neutrality (Score:2)
Viewed in the context of net neutrality -- how can there be net neutrality if they don't even provide net access
according to the semantics of the protocols?
Stephan
Not the only one. (Score:2)
Paytec/McCloud telco does this here in the states.
Only affects www subdomains (Score:2, Informative)
This seems to only affect lookups for queries prefixed with www. For example, a lookup of blerght.com returns nx, while www.blerght.com returns 67.63.55.2. There may well be other subdomain queries that it also hijacks.
This ought to be illegal (Score:3, Insightful)
DNS is recursive, right? Starting with the TLD servers, then downwards. Someone upstream of Bell is returning a 'domain not found' and Bell is intercepting that and modifying it.
I understand that you're using Bell's local DNS servers to start the search, but the effect is the same as them intercepting and modifying your communications.
ISPs doing this kind of crap should get sued under whatever law most closely applies.
Re: (Score:3, Informative)
They're not intercepting your communications with any outside server. You asked them for the IP address linked to a given domain name, they asked a higher-level DNS server that returned NXDOMAIN to them, and instead of just returning the same NXDOMAIN to you like everyone else would they returned a pointer to the server hosting their search page. Underhanded? Sure. But intercepting and modifying your communications? Not really. Your communications were with the ISP to being with, not the upstream DNS server
vigilante (Score:2)
where's that perl script that queries random domains to break the ISP's DNS cache?
The simple solution. (Score:2)
And everyone wins: a version of BIND that allows an overlay of master records based on secondary queries. You look something up, the authoritative query goes out to the replacements, the fallback position is the root nameservers.
Then, you can participate in OpenDNS or OpenNIC or whatever you want, *and* participate in the base DNS network as well. Plus, if you ever decide someone is being naughty, you can just overlay them with a whiteout (and you get rid of every domain-squatter-searcher you want to get ri
InfoSpace is behind this. (Score:4, Interesting)
They're reselling InfoSpace. Click on this link [domainnotfound.ca] to demonstrate.
InfoSpace claims to be passing search queries to Google, Yahoo, Bing, Ask, and Twitter, then combining the results. I'm surprised they can do that. Google, Yahoo, and Bing all prohibit that in their terms of service. (With Google, you're only allowed to use Google's display format, expressed in their AJAX API, but you can add additional info. Google doesn't allow reordering or combining their results. Yahoo is more flexible; you can reorder, reformat, and, subject to some restrictions, add ads. Bing allows reordering and combining for Web searches, but not other types of searches.)
Ma Bell got the Ill Communication (Score:2)
Better Headlines:
"Bell Is Hijacking NX Domain Queries"
Does Bell "startS" hijacking on a daily basis or all the time? Tony Hawk skateS every day.
"Bell Hijacking NX Domain Queries"
Brevity is wit.
Hit the reply button to make excuses and apologies.
Re: (Score:2)
Maybe I'm misunderstanding, but I get the impression from the summary that Bell is hijacking domain queries, meaning that users can't easily choose not to use their provider's DNS services. So the idea is that, even if you choose to use another DNS provider, Bell will intercept your query and give you their own response.
Not that there aren't ways around it, but why should users have to try to figure out ways around something like this? An ISP shouldn't be intercepting your traffic without your permission
Re: (Score:2)
Maybe I'm misunderstanding, but I get the impression from the summary that Bell is hijacking domain queries, meaning that users can't easily choose not to use their provider's DNS services.
Your ISP always provides a couple of caching DNS resolvers, and it tells your computer about them when you get your IP address (ie, provided by the DHCP server). So your computer will by default send all DNS queries through your ISPs DNS resolvers, and they can send you whatever garbage results they want.
This is most likely "only" Bell making their DNS resolvers (that everyone uses, because they're the default) malicious, and not them redirecting traffic mean for other DNS servers to their servers.
Re: (Score:3)
Re:Not really seeing an issue (Score:5, Informative)
Then you've never used Cisco's VPN client.
Hint: Connecting to internal-machine.yourcompany.com over the VPN doesn't work when internal-machine.yourcompany.com can be resolved from outside the company.
Re: (Score:2)
Really?
I don't know anyone that uses DNS servers that aren't provided by their ISP, unless they have some specific need to do otherwise.
I mean, other than in cases like this, what does it get you?
Re: (Score:2)
> I mean, other than in cases like this, what does it get you?
You'd be amazed at how bad the DNS of some ISPs can be.
Re:openDNS (Score:5, Informative)
I'm not sure if this is a troll or not, but just in case it isn't: openDNS does the same sort of hijacking.
Re: (Score:2)
And it is especially difficult to get it to stop. You can, but you have to turn off every feature they offer beyond bare DNS.
Of course, they do provide quite good bare DNS, so that's not a terrible thing, but it would be much better if their "helpful" services were opt-in.
Re: (Score:2)
Er, OpenDNS does exactly this. Only I don't think it has an opt-out.
Re: (Score:2)
It does, but you need an account to opt out. Though I've never tried it so I'm not sure if their "opt-out" is smart enough to register the IP address you're connecting from and add it to a list of "addresses not to break DNS for" or if it's a similar "mock-up a browser page".
Re: (Score:3)
The opt-out is a true opt-out. You enter a list of IP addresses to opt-out on your account screen, and from there it gives you real NXDOMAIN responses (and it even works with filtering).
Re: (Score:3)
Their DNS does indeed return the proper NXDOMAIN responses if you a) sign up for an account, b) register your IP with them, and c) disable all the "advanced" features they offer. Set it to be basic no-frills DNS and that's indeed what you get with them.
So yes, their opt-out for that sort of thing, while a bit of a pain, does work properly. But considering that their entire service is opt-in to begin with, there's not a lot to complain about on that score.
For people with dynamic IPs, they offer software to r
Re: (Score:2)
127.0.0.1 block.opendns.com
127.0.0.1 guide.opendns.com
OpenDNS has an opt-out at least... (Score:3, Interesting)
I'm not a fan of OpenDNS because they also do NXDOMAIN wildcarding.
However, they do have a working opt-out in the OpenDNS dashboard, however you need to use their notification mechanism so they can track where you are to maintain the opt-out.
Re: (Score:2)
Like others have said, OpenDNS does this same thing, it shows you a Yahoo search page, and if you are one of those F5ck Mycr0$of7 types, then that will be a Bing search soon.
I just set mine up with OpenDNS to see, and there doesn't seem to be an Opt-Out for it. And none of their options are really that nifty, they can all be done within your Router, and/or within your Browser settings.
Shouldn't impact third party ISPs (Score:5, Informative)
If you're using TekSavvy, then you're using TS's DNS servers, so your query goes to TS's DNS server which should respond with NXDOMAIN. You aren't even contacting the Bell DNS, so there's no opportunity for them to interfere.
It's possible, since Bell controls the last mile, that they could intercept NXDOMAIN results going to your machine and replace them using DPI, but I can't see how they'd get away with that without being in violation of CRTC rules about changing the meaning of communication. And, at least for me on Primus, this doesn't seem to be the case (yet).
Re: (Score:2)
Just checked, I get NXDOMAIN so there is no hijacking going on :)
Tom...
Re: (Score:2)
The technical issue is this: Incorrect functioning of DNS is only a problem if the internet connection is used for nothing but web browsing.
User has misconfigured their email client? Well, normally they'd get a fairly clear warning that the mail server they're trying to connect to doesn't exist. Now, it appears to exist but it doesn't respond.
User is trying to connect to something over a VPN? Depending on configuration the internal DNS servers may only be consulted if the external ones can't resolve a h