Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bell Starts Hijacking NX Domain Queries

timothy posted about 5 years ago | from the opendns-dot-org-is-a-nice-resource dept.

The Internet 310

inject_hotmail.com writes "Bell Canada started hijacking non-existent domains (in the same manner as Rogers), redirecting NX-response queries to themselves, of course. Before opting-out, you get their wonderfully self-promoting and self-serving search page. When you 'opt-out,' your browser receives a cookie (isn't that nice) that tells them that you don't want the search page. It will still use their broken DNS server's non-NX response, but it will show a 'Domain Not Found' mock-up page that they (I surmise) tailor to your browser-agent string. During the opt-out process, they claim to be interested in feedback, but provide no method on that page (or any other page within the 'domainnotfound.ca' site) to contact them with complaints. They note that opting-in is 'recommended' (!), and that 'In order for opt-out to work properly, you need to accept a "cookie" indicating that you have opted out of this service. If you use a program that removes cookies, you will have to repeat this opt-out process when the cookie is deleted. The cookie placed on your computer will contain the site name: "www.domainnotfound.ca."' Unfortunately most Bell Internet users won't understand the difference between their true NX domain response, and Bell's injected NX response."

cancel ×

310 comments

Sorry! There are no comments related to the filter you selected.

Well, that's the bad old bell... (3, Interesting)

Pig Hogger (10379) | about 5 years ago | (#28941845)

Well, that's the bad old ma Bell that's still alive and kicking in Canada.

Re:Well, that's the bad old bell... (1)

YayaY (837729) | about 5 years ago | (#28942175)

I can't wait to see this go in front of the CRTC.

Re:Well, that's the bad old bell... (0)

Anonymous Coward | about 5 years ago | (#28942527)

Why? Do you really expect them to bite the hand that feeds in any significant way?

Re:Well, that's the bad old bell... (1)

Trails (629752) | about 5 years ago | (#28942599)

Two points:

1) You will wait. A very long time.
2) When the waiting is over, nothing will happen. Rogers has been running this annoying crap for months and nothing's happened

To anyone annoyed at this from rogers or bell, point your dns to opendns, the rogers (at least) name servers suck balls anyways.

Re:Well, that's the bad old bell... (1)

KillerBob (217953) | about 5 years ago | (#28942753)

I did write a letter to the CRTC about Rogers' practices, and CC'd Rogers. If enough people do it, they'll do something about it... When I called Rogers to complain, they suggested I use OpenDNS, but OpenDNS does the same thing. Does anybody know a free/open DNS server that doesn't do that kind of crap?

*sighs* for now, I've taken some clock cycles on my internal fileserver, and set up a DNS server. Not happy with Rogers at all. But don't have any alternatives where I live.

From a typical web surfer's point of view (2, Funny)

BadAnalogyGuy (945258) | about 5 years ago | (#28941883)

These pages are helpful for the typical web surfer. In fact, an automatic URL "fixing" service would be one of those revolutionary Web 2.0 features that exists in the recesses of the web, part of the infrastructure and totally natural to use.

Yes, it breaks some scripts and runs contrary to published standards, but it presents a new (actually pretty old) conception of how the web should work.

Re:From a typical web surfer's point of view (4, Insightful)

nicolas.kassis (875270) | about 5 years ago | (#28941989)

This should be handled at the infrastructure level. DNS doctoring is bad for many reason. I'm sure a firefox or IE addon would actually be much more preferable. Something easy to dis-activate when things break.

And yet I don't see it (0)

Late Adopter (1492849) | about 5 years ago | (#28942689)

DNS doctoring is bad for many reason.

Just because a domain exists doesn't mean it's the one you wanted. Think of all those properly registered phishing sites out there, just waiting for a user typo. What's the difference between them and a DNS search redirect? If anything, this highlights the broken behavior of using the (non-)existence of a domain name for anything useful. You really care about whether you got the RIGHT site, not just *a* site.

Re:From a typical web surfer's point of view (3, Informative)

Anonymous Coward | about 5 years ago | (#28942005)

That's fine, but whether or not it's helpful for the typical Web surfer is completely irrelevant.

It's a clear example of a layering violation. If you want URL fixing, great, but do it in the browser, don't hijack DNS which other services depend on.

As far as I am concerned, it is really is clear cut that this shouldn't be happening!

Re:From a typical web surfer's point of view (4, Informative)

Sillygates (967271) | about 5 years ago | (#28942747)

I have written scripts for my job, which would break dns was hijacked by my isp. It's not acceptable.

I added a stub section to an article on wikipedia about this a while ago, it would be great if someone would lengthen it ;-)

http://en.wikipedia.org/wiki/DNS_hijacking#Use_by_ISPs [wikipedia.org]

browser task? (1)

sugarmotor (621907) | about 5 years ago | (#28942009)

Browsers can take care of this quite well!

I think they mostly do.

Or put otherwise, this is a pretty heavy solution to the problem, if the problem is what it is to solve -- unlikely.

Stephan

Re:browser task? (3, Interesting)

thePowerOfGrayskull (905905) | about 5 years ago | (#28942425)

if the problem is what it is to solve -- unlikely.

Unlikely indeed. A simple search on that site for "Test" turns up many results. Several of them have notes like this next to them: "Sponsored by: www.momshomeroom.com/msn ", and "Sponsored by: www.Tests.com "

Looks like helping the customer is a secondary concern after all.

Re:From a typical web surfer's point of view (5, Insightful)

qortra (591818) | about 5 years ago | (#28942071)

These pages are helpful for the typical web surfer

How is that? By encouraging them to use a search engine with which they are unfamiliar, or by leading them away from their intended target with advertising. Look at the Sample Page [domainnotfound.ca] again, and explain to me the utility in that crap. Domain errors should ideally result in a big red "X" so the user knows to turn around and try again.

In fact, an automatic URL "fixing" service would be one of those revolutionary Web 2.0 features that exists in the recesses of the web, part of the infrastructure and totally natural to use.

Now this is an interesting idea. Let me tell you the best way to handle this - on the client side, after the proper DNS opportunities have been exhausted. This is because the client best knows the users browsing proclivities (most often viewed pages, favorite search engines, etc).

Re:From a typical web surfer's point of view (1)

digitig (1056110) | about 5 years ago | (#28942797)

This is because the client best knows the users browsing proclivities (most often viewed pages, favorite search engines, etc).

Nowadays I have a horrid suspicion that the server knows the user's browsing proclivities better than the client.

Re:From a typical web surfer's point of view (4, Insightful)

superdana (1211758) | about 5 years ago | (#28942161)

This isn't about the web, this is about the Internet--there's a difference. The web is just one tiny piece of the Internet, and there are 65,000 other services that require a properly functioning domain name system. Screwing it up in a way that only "works" for the web is totally unacceptable.

Re:From a typical web surfer's point of view (-1, Troll)

BadAnalogyGuy (945258) | about 5 years ago | (#28942315)

The web is an incredibly huge piece of the internet.

Please tell us about these 65,000 other services that need a properly functioning DNS. Since the only protocol affected here is HTTP, and the only applications that use invalid URLs are either human-driven (browsers) or malware, I suggest that the NX response is fundamentally outdated and useless.

Re:From a typical web surfer's point of view (0)

superdana (1211758) | about 5 years ago | (#28942453)

cat /etc/services

There ya go. And no, it doesn't just affect HTTP. They're intercepting NX responses from DNS, so any software that relies on DNS--anything that has anything to do with the Internet--won't work properly when a nonexistent domain is entered.

Re:From a typical web surfer's point of view (5, Informative)

jimicus (737525) | about 5 years ago | (#28942497)

The web is an incredibly huge piece of the internet.

Please tell us about these 65,000 other services that need a properly functioning DNS. Since the only protocol affected here is HTTP, and the only applications that use invalid URLs are either human-driven (browsers) or malware, I suggest that the NX response is fundamentally outdated and useless.

Not true. The DNS doesn't know if the thing making a request is a web browser or something else, so it affects literally every protocol. SMTP, POP3, SMB, everything. Only now, when you try to debug something like that it looks like the server does exist, it's just ignoring SMTP connections. You spend ages barking up completely the wrong tree.

Even more fun is if the person affected is trying to work from home over a VPN link. If it's set up for split tunnelling, it'll try to resolve a hostname using the default DNS first and only if that fails will it try the VPN. Hint: Windows uses DNS to resolve hostnames for fileshares. All of a sudden, internalhost.yourcompany.com resolves on the public internet and they're trying to save their files to a server that's run by their ISP (and, naturally, isn't offering any SMB fileshares). Cue a bunch of angry calls to the helpdesk.

Re:From a typical web surfer's point of view (1)

DavidTC (10147) | about 5 years ago | (#28942857)

Only now, when you try to debug something like that it looks like the server does exist, it's just ignoring SMTP connections.

And, those of us running mail servers set up often set them up so we don't accept mail, from our own users, addressed to invalid domains. Which means they get immediate feedback, in their email client, that they made a typo in the domain name and the message wasn't sent and is still up on their screen to be edited, instead of having the mail happily go off and a few hours later noticing it bounced, and having to fish it out of the Sent folder and remail it.

Return an actual result to a computer that isn't running a mail server, and not only does the 'bogus submitted domain' blocker not work, but it also results in the damn email sitting there for 72 hours as the mail server repeatedly tries to connect to a mail server that is not running on that IP.

Granted, ISPs doing this interception aren't going to bother people, people don't normally run mail servers over cable connections, but when Network Solutions decided to do it for .com, it indeed broke everything.

Re:From a typical web surfer's point of view (3, Informative)

characterZer0 (138196) | about 5 years ago | (#28942503)

the only protocol affected here is HTTP

No, every protocol directed at an address obtained by DNS is affected.

Re:From a typical web surfer's point of view (2, Insightful)

blueg3 (192743) | about 5 years ago | (#28942531)

How is the only protocol affected HTTP? When a DNS query is made, it doesn't state what it's for -- regardless of the protocol to come, the DNS query is the same. Yet when an NX should be returned, a valid but incorrect response is returned. This is quite a significant difference.

Re:From a typical web surfer's point of view (0)

Anonymous Coward | about 5 years ago | (#28942781)

WTF are you talking about? Quite a few modern browsers already do the same thing that this service does (switch to search on an NX response) - this is about $$ for the telco, nothing else.

Re:From a typical web surfer's point of view (1)

Shin-LaC (1333529) | about 5 years ago | (#28942825)

How about FTP, IRC, all sorts of file sharing protocols? All sorts of messaging/chatting/voice protocols that don't use a single corporate point of failure? VNC, RDP, all sorts of services one might want to run on his home computer and access remotely via dynamic DNS, or run at work and access from home?

Here, let me explain it in terms you should understand. Imagine that you get lost while driving. You should have reached your destination, but you're not sure, so you ask a passerby. "Is this 417 Pine Street?" Now, if you're driving a car, the man tells you "No, this is an abandoned warehouse. You need to go back and make a turn at...", and tells you the directions. BUT, if you're driving anything but a car, he tells you "Yeah, this is the place, but everyone is gone."
And now you're saying: "But I only ever drive cars!"
Maybe, but people also drive bikes, trucks, etc. Even if you only drive cars, you'll probably want delivery trucks to get to the right place when they're delivering stuff to you!

But just as you're pondering that, you get beat up by a gang of bikers.

Re:From a typical web surfer's point of view (0)

Anonymous Coward | about 5 years ago | (#28942213)

These pages are helpful for the typical web surfer. In fact, an automatic URL "fixing" service would be one of those revolutionary Web 2.0 features that exists in the recesses of the web, part of the infrastructure and totally natural to use.

Yes, it breaks some scripts and runs contrary to published standards, but it presents a new (actually pretty old) conception of how the web should work.

BadAnalogyGuy: astroturfing since 2009.

Re:From a typical web surfer's point of view (1)

Useful Wheat (1488675) | about 5 years ago | (#28942247)

I think you're wrong that this is helpful to the typical surfer. Sprint does exactly the same thing to me, and their redirect search page is a clone of google, but with one important "feature" that google missed. Not a single item on the page is returned from a search, its all advertising and sponsored links. I have never seen such worthless search results in my life. They allow you to opt out of the page with a measly 6 clicks, and you end up with a cookie (just like in TFA), but its still an annoying process that I have to go through every time I dump my cache. If ISPs want to sell this as a feature, they need to return useful search results, instead of worthless advertisements. Also (and I know this is fantasy) they need to make it opt-in.

Re:From a typical web surfer's point of view (2, Interesting)

dirk (87083) | about 5 years ago | (#28942251)

It also breaks functionality of if basic programs. For example we have a lot of people that use Outlook Anywhere, and it will be broken by this. By default, it checks for the internal server first, and when it can't find it, it then jumps to Outlook Anywhere. Except now it gets a response for the internal server, and then waits forever for a timeout. So now we'll have even more people calling us asking why they can't get their email when they could before. We already have a list of 10 or so ISPs that we tell our users not to use for this very reason.

Re:From a typical web surfer's point of view (1)

mini me (132455) | about 5 years ago | (#28942679)

Some browsers do attempt to "fix" URLs. These services break those features, since the domain is always resolved properly as far as the browser is concerned.

Re:From a typical web surfer's point of view (1)

colk99 (315674) | about 5 years ago | (#28942791)

What about when the search page gets infected with antivirus 2009 or links to antivirus 2009

Thank god I don't work there anymore (4, Insightful)

Drakkenmensch (1255800) | about 5 years ago | (#28941885)

You wouldn't believe the amount of angry customer calls I had escalated to me by people who think that computers, modems and internet service are all the same things and I was responsible for all of them. If you want me to share them with you, bring lots of hard liquor - you're going to need it.

Re:Thank god I don't work there anymore (-1, Troll)

Anonymous Coward | about 5 years ago | (#28941965)

You meant to say that I wouldn't believe the number of calls that you had to take. You can't have an amount of calls since amount refers to bulk nouns.

Re:Thank god I don't work there anymore (0, Flamebait)

schon (31600) | about 5 years ago | (#28942325)

You wouldn't believe the amount of angry customer calls I had escalated to me

So, were you one of the idiots who thought it would be a good idea to break your own mail servers [netheaven.com] by enabling PMTU discovery and then dropping the replies when you hit a router with an MTU of less than 1500?

Happens in Germany too.. (5, Interesting)

ltning (143862) | about 5 years ago | (#28941935)

The Deutsche Telekom / T-Online does exactly the same in Germany.

Re:Happens in Germany too.. (2, Informative)

Anonymous Coward | about 5 years ago | (#28942487)

But compared to Bell you can switch the behaviour permanently off in your User Control Panel of T-Online. No weird cookies are required...

Re:Happens in Germany too.. (0)

Anonymous Coward | about 5 years ago | (#28942535)

But you can opt-out to get proper DNS back.

Does the Taco add on work here? (5, Interesting)

gurps_npc (621217) | about 5 years ago | (#28941937)

Taco stands for Targetted Advertising Cookie Opt-Out. It is a firefox addon that keeps a generic, non-user specific cookie opting out of the things that need cookies to opt out of.

Re:Does the Taco add on work here? (2, Insightful)

characterZer0 (138196) | about 5 years ago | (#28942529)

It does not work for every non-browser application that uses DNS.

If true, a SERIOUSLY broken opt-out... (5, Insightful)

nweaver (113078) | about 5 years ago | (#28941941)

If this is a true description of the opt-out, it is SERIOUSLY broken.

Simply put, any opt-out mechanism MUST enable the user's computer to properly receive an NXDOMAIN response. Because the problem is NOT the advertising web page on a web browser typo for http, but all the other things that do DNS lookups.

For example, NXDOMAIN wildcarding even snagged and confused Dark Tangent [defcon.org] into thinking that someone was trying to MitM the Defcon forums!

I can accept an ISP doing this only under the following conditions:

a) The opt-out is a one-click item on the page

b) The opt-out is perminent and for all connected through that IP/customer link

c) The opt-out is a real opt-out which will cause NXDOMAIN responses to be properly returned as NXDOMAIN.

This clearly fails B and C.

Re:If true, a SERIOUSLY broken opt-out... (0)

Anonymous Coward | about 5 years ago | (#28942125)

RCN (in MA at least) is doing this too and it's pissing me off. When I ping a non-existant domain, I get an RCN server instead. Furthermore, the opt-out is _cookie based_! (b) and (c) totally fail.

Re:If true, a SERIOUSLY broken opt-out... (4, Funny)

qortra (591818) | about 5 years ago | (#28942147)

b) The opt-out is perminent and for all connected through that IP/customer link

But then, how will the user re-enable the service when they start missing those targeted advertisements?

Re:If true, a SERIOUSLY broken opt-out... (1)

Noxn (1458105) | about 5 years ago | (#28942391)

But then, how will the user re-enable the service when they start missing those targeted advertisements?

Why should anyone want that? It is useless.

Re:If true, a SERIOUSLY broken opt-out... (1)

MyLongNickName (822545) | about 5 years ago | (#28942847)

I would say *whoosh*, but the joke went so far over your head as to be inaudible.

Re:If true, a SERIOUSLY broken opt-out... (1)

melikamp (631205) | about 5 years ago | (#28942387)

It sucks that a provider's DNS is broken. Still, you can run your own caching DNS server and forward your requests to servers that work.

Re:If true, a SERIOUSLY broken opt-out... (3, Insightful)

TheRaven64 (641858) | about 5 years ago | (#28942411)

I'm not sure how an opt out that uses cookies is supposed to work. My mail client, for example, does a DNS lookup for smtp.domainwithtypoinname.com. The resolver on my machine sends a UDP packet containing the DNS request to the DNS cache. The DNS cache replies with NXDOMAIN. The function called by my mail client returns failure. How does the DNS cache get hold of the cookie to know that it should return the real NXDOMAIN?

Hopefully the root servers will start using DNSSec soon, so the resolver can just flag these and the libc functions can return the same kind of failure as they would for an NXDOMAIN reply.

Re:If true, a SERIOUSLY broken opt-out... (3, Insightful)

John Hasler (414242) | about 5 years ago | (#28942561)

The doofuses behind this are unaware of the existence of any software other than a browser that uses DNS. They would tell you that DNS is part of the Web.

Re:If true, a SERIOUSLY broken opt-out... (0)

Anonymous Coward | about 5 years ago | (#28942733)

Or they don't want you to use anything other than a browser. They throttle P2P afterall.

Re:If true, a SERIOUSLY broken opt-out... (1)

QuantumRiff (120817) | about 5 years ago | (#28942575)

This puts itself exactly like the whole "Phorm" debacle... Where in order to have things work the way they should, you have to remember to "opt-out" any time you are using a different computer, or clear your cookies, or whatever.. however, it doesn't actually opt you out of anything, it just changes what you see.. (the Phorm debacle didn't opt you out of tracking everything you do with deep packet inspection, it just opted you out of seeing the ads tailored to you!).

This is the same thing..
Opt out should opt their DNS server from hijacking stuff. The only use I can see for this kind of service, is the ISP can get a list of the most mis-typed domains, and start squatting them.

Re:If true, a SERIOUSLY broken opt-out... (1)

dzfoo (772245) | about 5 years ago | (#28942759)

Yeah, and good luck making your SMTP server (or any other IP service other than HTTP agents) understand cookies!

      -dZ.

Not really seeing an issue (0, Flamebait)

Mordaximus (566304) | about 5 years ago | (#28941953)

Most people that are savvy enough to care, don't use their provider's DNS services. Those who aren't probably either don't care, or might even like the "feature."

Re:Not really seeing an issue (1)

nine-times (778537) | about 5 years ago | (#28942155)

Maybe I'm misunderstanding, but I get the impression from the summary that Bell is hijacking domain queries, meaning that users can't easily choose not to use their provider's DNS services. So the idea is that, even if you choose to use another DNS provider, Bell will intercept your query and give you their own response.

Not that there aren't ways around it, but why should users have to try to figure out ways around something like this? An ISP shouldn't be intercepting your traffic without your permission.

Re:Not really seeing an issue (1)

Timothy Brownawell (627747) | about 5 years ago | (#28942335)

Maybe I'm misunderstanding, but I get the impression from the summary that Bell is hijacking domain queries, meaning that users can't easily choose not to use their provider's DNS services.

Your ISP always provides a couple of caching DNS resolvers, and it tells your computer about them when you get your IP address (ie, provided by the DHCP server). So your computer will by default send all DNS queries through your ISPs DNS resolvers, and they can send you whatever garbage results they want.

This is most likely "only" Bell making their DNS resolvers (that everyone uses, because they're the default) malicious, and not them redirecting traffic mean for other DNS servers to their servers.

Re:Not really seeing an issue (4, Informative)

jimicus (737525) | about 5 years ago | (#28942275)

Then you've never used Cisco's VPN client.

Hint: Connecting to internal-machine.yourcompany.com over the VPN doesn't work when internal-machine.yourcompany.com can be resolved from outside the company.

Re:Not really seeing an issue (1)

Nursie (632944) | about 5 years ago | (#28942523)

Really?

I don't know anyone that uses DNS servers that aren't provided by their ISP, unless they have some specific need to do otherwise.

I mean, other than in cases like this, what does it get you?

Re:Not really seeing an issue (1)

John Hasler (414242) | about 5 years ago | (#28942631)

> I mean, other than in cases like this, what does it get you?

You'd be amazed at how bad the DNS of some ISPs can be.

That's where we come in... (0)

Anonymous Coward | about 5 years ago | (#28942533)

Well that's kind of the point isn't it?

We as techical people do see the point, so we have to educate those that don't, as well as companies that do stupid things like this.

Excusing yourself for OTHER people not understanding seems a very, very odd standpoint.

Doesn't suprise me that bell is doing this... (1)

Aklarr (1463653) | about 5 years ago | (#28941957)

Bell and rogers havent exactly been angels these last few years. Ad why would you want to use their dns server(s) when you can use a service like opendns from http://www.opendns.com/ [opendns.com]

teksavvy (1)

tedrampart (1247766) | about 5 years ago | (#28941973)

does anyone know if they're applying this to other ISP who lease bandwidth from bell? Such as Teksavvy and the like? I'm switching from bell anyhow, but I'd be pissed if they force that on other ISPs too (along with throttling).

Re:teksavvy (1, Informative)

Anonymous Coward | about 5 years ago | (#28942181)

does anyone know if they're applying this to other ISP who lease bandwidth from bell? Such as Teksavvy and the like? I'm switching from bell anyhow, but I'd be pissed if they force that on other ISPs too (along with throttling).

Doubt it. Teksavvy has their own DNS servers.

Shouldn't impact third party ISPs (4, Informative)

Digital_Quartz (75366) | about 5 years ago | (#28942225)

If you're using TekSavvy, then you're using TS's DNS servers, so your query goes to TS's DNS server which should respond with NXDOMAIN. You aren't even contacting the Bell DNS, so there's no opportunity for them to interfere.

It's possible, since Bell controls the last mile, that they could intercept NXDOMAIN results going to your machine and replace them using DPI, but I can't see how they'd get away with that without being in violation of CRTC rules about changing the meaning of communication. And, at least for me on Primus, this doesn't seem to be the case (yet).

openDNS (0, Troll)

Anonymous Coward | about 5 years ago | (#28942027)

208.67.222.222
208.67.220.220

problem solved

Re:openDNS (5, Informative)

vslashg (209560) | about 5 years ago | (#28942173)

I'm not sure if this is a troll or not, but just in case it isn't: openDNS does the same sort of hijacking.

Re:openDNS (1)

diamondsw (685967) | about 5 years ago | (#28942585)

And it is especially difficult to get it to stop. You can, but you have to turn off every feature they offer beyond bare DNS.

Of course, they do provide quite good bare DNS, so that's not a terrible thing, but it would be much better if their "helpful" services were opt-in.

Re:openDNS (1)

jabithew (1340853) | about 5 years ago | (#28942277)

Er, OpenDNS does exactly this. Only I don't think it has an opt-out.

Re:openDNS (1, Informative)

Anonymous Coward | about 5 years ago | (#28942469)

OpenDNS only does this if you use their filtering options. If you use just the standard straight up dns service you can opt out.

Re:openDNS (1)

jimicus (737525) | about 5 years ago | (#28942567)

It does, but you need an account to opt out. Though I've never tried it so I'm not sure if their "opt-out" is smart enough to register the IP address you're connecting from and add it to a list of "addresses not to break DNS for" or if it's a similar "mock-up a browser page".

Re:openDNS (1)

Bieeanda (961632) | about 5 years ago | (#28942385)

You forgot the most important thing:

127.0.0.1 block.opendns.com

127.0.0.1 guide.opendns.com

OpenDNS has an opt-out at least... (2, Interesting)

nweaver (113078) | about 5 years ago | (#28942489)

I'm not a fan of OpenDNS because they also do NXDOMAIN wildcarding.

However, they do have a working opt-out in the OpenDNS dashboard, however you need to use their notification mechanism so they can track where you are to maintain the opt-out.

Re:openDNS (1)

Vectronic (1221470) | about 5 years ago | (#28942617)

Like others have said, OpenDNS does this same thing, it shows you a Yahoo search page, and if you are one of those F5ck Mycr0$of7 types, then that will be a Bing search soon.

I just set mine up with OpenDNS to see, and there doesn't seem to be an Opt-Out for it. And none of their options are really that nifty, they can all be done within your Router, and/or within your Browser settings.

I was getting the same shit from Mediacom today (0)

Anonymous Coward | about 5 years ago | (#28942037)

Only they have decided that "google.com" is not a valid domain...ffs

Oh, and why do I have to make firefox pretend to be IE8 to post on slashdot?

Embarq (1)

Dan East (318230) | about 5 years ago | (#28942069)

Embarq does the same thing with their DSL:

http://search.embarq.com/index.php?origURL=http://lkwkerwer.com/ [embarq.com]

Re:Embarq (1, Informative)

Anonymous Coward | about 5 years ago | (#28942149)

But at least when you opt-out it will then make it return NX responses (yes I have Embarq and that was one of the first things I'd do (or end up doing accidentally) when the IP changed)
And it seems to work until you end up changing IP (DSL so I only changed when the link went down.)

Detect and fix DNS hijacks locally? (3, Interesting)

caseih (160668) | about 5 years ago | (#28942073)

Is there any way a local caching name server can detect this brokenness and return the right answer? I seem to remember some bind configs a few years back that would do that but I'm not sure if they would still work.

Or maybe a firefox plugin could detect this damage and restore the original, correct behavior somehow.

Re:Detect and fix DNS hijacks locally? (1)

slazzy (864185) | about 5 years ago | (#28942177)

Should be pretty easy thing to detect. Do a get of several domains you know shouldn't exist: ie: kg84jrtuwerufhg3r4.com and see what response you get from DNS servers. You could even go so far as to do a whois lookup to see if they are in fact registered or not.

Re:Detect and fix DNS hijacks locally? (1)

jimicus (737525) | about 5 years ago | (#28942329)

You could set up your own caching DNS server and have it bypass your ISP altogether, instead drilling down the DNS from the DNS root servers.

DNS is fairly easy to detect so it wouldn't be too hard to set up an invisible proxy, but most ISPs won't go to these kind of lengths.

Re:Detect and fix DNS hijacks locally? (1)

characterZer0 (138196) | about 5 years ago | (#28942553)

Bingo.

Re:Detect and fix DNS hijacks locally? (5, Informative)

pipatron (966506) | about 5 years ago | (#28942401)

I use dnsmasq [thekelleys.org.uk] on my router, you could use it locally as well. It has a --bogus-nxdomain=<ipaddr> option that you can use for this purpose.

Re:Detect and fix DNS hijacks locally? (1)

Kickasso (210195) | about 5 years ago | (#28942687)

I don't have mod points, so let me just say this:

Mod Parent Up!

Waiting for DNSSEC... (5, Informative)

Timothy Brownawell (627747) | about 5 years ago | (#28942113)

Isn't this sort of forgery exactly what DNSSEC is supposed to prevent?

(And no, don't go suggesting DNSCurve. It doesn't protect against your ISPs caching resolver being malicious like this.)

Sponsored Links Appearing In The Middle Of Results (1, Interesting)

Anonymous Coward | about 5 years ago | (#28942133)

This is what I find interesting/scary about this. Search for "Microsoft" from that webpage. Of course the first hit is from www.microsoft.com and if you look carefully you can see that it is sponsored. But the fourth hit down is for a sponsored link.

Microsoft Help & Support 1-888-935-4306
Get Microsoft Technical Help & Support by Expert 24x7, Call now !!
Sponsored by: www.iyogi.net

Very interesting that they mix sponsored and regular hits. I thought normally these were at the top of the results page and separated by bars/colors/lines/fonts.

OpenDNS & IPv6 (1)

Midnight Thunder (17205) | about 5 years ago | (#28942193)

Using other services like OpenDNS is a certainly one way to go, but last time I checked they had issues when it came to IPv6. Does anyone know any IPv6 friendly open DNS servers?

Re:OpenDNS & IPv6 (4, Informative)

Xtravar (725372) | about 5 years ago | (#28942377)

I have Charter, and they do the same thing . I just use 4.2.2.1 and 4.2.2.2 as my primary DNS servers. Although, I can't really speak to their IPv6 capability.

Why is this bad? (1)

danking (1201931) | about 5 years ago | (#28942209)

Don't get me wrong. I don't like this practice. But I do not know what the technical issues are with doing this. Are there security concerns? How does it break stuff? Also, does anyone know if complaints have been filed with the CRTC or if this practice is contrary to CRTC rules?

Windows shares (0)

Anonymous Coward | about 5 years ago | (#28942727)

If you have a share "woody://shared/data" then your machine will look up "woody" on DNS. Before this, your work laptop would get NXDOMAIN and wouldn't try to map a drive.

With this, it will hear that there is such a domain from your ISP and try to mount a share from it.

Re:Why is this bad? (1)

jimicus (737525) | about 5 years ago | (#28942731)

The technical issue is this: Incorrect functioning of DNS is only a problem if the internet connection is used for nothing but web browsing.

User has misconfigured their email client? Well, normally they'd get a fairly clear warning that the mail server they're trying to connect to doesn't exist. Now, it appears to exist but it doesn't respond.

User is trying to connect to something over a VPN? Depending on configuration the internal DNS servers may only be consulted if the external ones can't resolve a hostname. So if you need a VPN to connect to some system your employer runs, all of a sudden it doesn't work because the host lookup points your PC at completely the wrong IP address. Even if this isn't the case, most operating systems will cache DNS replies for some time and many applications won't bother to re-query DNS once they've got an IP address from a hostname. So if your end-user forgets to fire up the VPN before they fire up anything else, their PC will mysteriously not work properly.

Cue a bunch of calls to the helpdesk and an enduser who can't work properly.

Ignorance is Bell's best friend. (2, Funny)

Garbad Ropedink (1542973) | about 5 years ago | (#28942223)

Bell's current business model pretty much relies on people not caring about the shit they pull.

It's sort of interesting (or infuriating depending if I'm trying to use the internet..). My new ISP makes it no secret they hate everything Bell does. I think that largely has to do with them leasing their lines from Bell, and having their service screwed up when Bell does things of this nature. I imagine I'll be getting an email from my ISP soon telling me who to complain to about the service getting buggered yet again. Thanks Bell, I'll be by your office in the morning with a fresh cinderblock. I see you replaced your front window from the last time I put one through it.

Jail time for this. (1)

Tei (520358) | about 5 years ago | (#28942227)

I have just read a article, about a children getting a possible 10 years sentence to open a hardware to install software on it. And now I am reading this? I am angry, very angry, please _jail time_ for the people that has taken this decission in Bell!, NOW!.

Can we get a fair world, please?

Re:Jail time for this. (1)

frozentier (1542099) | about 5 years ago | (#28942309)

I have just read a article, about a children getting a possible 10 years sentence to open a hardware to install software on it.

It would appear you didn't actually read said article.

Bell (0)

Anonymous Coward | about 5 years ago | (#28942311)

I SERIOUSLY URGE YOU ALL TO LOOK AT THE CRTC WEBSITE!
Bell is on a buying spree, They now own (or are buying into, to take over) Aliant (BellAliant), Virgin Mobile CA (Bell Virgin Mobility), Rogers (Bell Rogers), Telus (BellTelus), BarbadosTel (Don't know the new name yet), The Source, Koodo trying to take over MTS, ATT WW, with more on the radar.
And the reason why they can get away with it right now is they are buying up 61% so they can get co-branded Bell[Name]... Oh yeah, they are no longer known as Bell Canada Enterprises...it's now Bell Enterprises, which means they plan on going global... WATCH YOUR WALLETS!

Cookie? (2, Interesting)

wiredlogic (135348) | about 5 years ago | (#28942355)

How is this cookie supposed to work for lookups from apps other than a web browser?

It's not... (2, Interesting)

argent (18001) | about 5 years ago | (#28942707)

This...

When you "opt-out", your browser receives a cookie (isn't that nice) that tells them that you don't want the search page. It will still use their broken DNS server's non-NX response, but it will show a 'Domain Not Found' mock-up page that they (I surmise) tailor to your browser-agent string. ...is just ****ing unacceptable. That's not ****ing opting out.

Re:Cookie? (1)

jimicus (737525) | about 5 years ago | (#28942765)

It isn't. Clearly Bell don't consider themselves an ISP any more, they consider themselves a WSP. (Web Service Provider).

Direct comments to domainnotfound@bell.ca (0)

Anonymous Coward | about 5 years ago | (#28942397)

Contrary to the summary, they do provide a very visible 'Contact Us' link, providing both a feedback form and an actual email address: domainnotfound@bell.ca

OpenNIC does none of this silliness (1)

pongo000 (97357) | about 5 years ago | (#28942435)

OpenNIC [opennicproject.org] offers free, open, and democratic domain name services. No redirects like your favorite ISP or OpenDNS (and to think these used to be the "good" guys back in the days of everydns.net). All ICANN domains, plus a good helping of alternate roots (including OpenNIC) as a bonus. The OpenNIC DNS network is slowly building, with servers around the world

Using your ISP's name servers is so passe. They'd like the masses to think that's the only choice.

Legal? (2, Interesting)

TheRaven64 (641858) | about 5 years ago | (#28942513)

So, what happens if I buy ping a domain that doesn't exist? Presumably this will then cache the DNS NXDOMAIN reply. If I then buy the domain, set up a DNS entry, and then try to connect to it, I will get their sever instead of mine. This sounds like it would fall foul of computer misuse laws; intentionally hijacking a connection. The presence of ads means that they're doing it for commercial purposes, which usually carries a heavier sentence. Other ISPs will not be breaking these laws, because they will just be inadvertently blocking my connection, rather than hijacking it.

Re:Legal? (1)

Melkhior (169823) | about 5 years ago | (#28942787)

IANAL.

I originally thought this was breaking 18 U.S.C. Chapter 119, 2510 to 2522 (?), but no.

*IF* they only alter the answer of their own DNS servers to their clients, when the client has made a request to said DNS servers, then they're probably in the clear. There is two communications: one from the client (C) to the Bell server (B), then one from B to the authoritative server (S). S then answer NXDOMAIN to B, which then returns a completely different information to C. So they're not intercepting anything.

OTOH, *IF* they hijack all the port 53 requests to the outside world (which I doubt), then it's very likely 2511(1)(a) and (d) applies. They still could argue under 2511(2)(a)(i) that it's "necessary"...

Then again, IANAL.

OTOH, even if it's legal, it's still absolutely wrong.

At least their search page suggest s a solution (5, Funny)

Man Eating Duck (534479) | about 5 years ago | (#28942673)

The first hit for me is the wonderful errornerd.com, which can fix these errors if you download their registry utility [errornerd.com] .
They can even fix a host of other errors, even 404s [errornerd.com] and errornerd.com is a fraud [errornerd.com] errors.

Same bull**** with Bresnan Communications (1, Informative)

Anonymous Coward | about 5 years ago | (#28942741)

Bresnan Communications pulls this same crap. The only way to opt-out is accept thier cookie.

So f**king annoying (1)

Malc (1751) | about 5 years ago | (#28942743)

I spent June in Toronto and Ottawa with friends and my family, all of whom have internet service provided by Rogers. Now I have a bunch of type-o URLs in FF's history when I'm typing the in the address bar. Anybody in the province who can get DSL should go to Teksavvy where you'll get good service and none of this crap.

no news here. (0)

Anonymous Coward | about 5 years ago | (#28942809)

windstream, verizon, and insight engage in this routinely...only way around it is to run your own caching nameserver. problem solved.

Net Neutrality (1)

sugarmotor (621907) | about 5 years ago | (#28942861)

Viewed in the context of net neutrality -- how can there be net neutrality if they don't even provide net access
according to the semantics of the protocols?

Stephan

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>