Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comcast the Latest ISP To Try DNS Hijacking

timothy posted about 5 years ago | from the c'mon-fellas dept.

The Internet 352

A semi-anonymous reader writes "In the latest blow to DNS neutrality, Comcast is starting to redirect users to an ad-laden holding page when they try to connect to nonexistent domains. I have just received an email from them to that effect, tried it, and lo and behold, indeed there is the ugly DNS hijack page. The good news is that the opt-out is a more sensible registration based on cable modem MAC, rather than the deplorable 'cookie method' we just saw from Bell Canada. All you Comcast customers and friends of Comcast customers who want to get out of this, go here to opt out. Is there anything that can be done to stop (and reverse) this DNS breakage trend that the ISPs seem to be latching onto lately? Maybe the latest net neutrality bill will help." Update: 08/05 20:03 GMT by T : Here's a page from Comcast with (scant) details on the web-jacking program, which says that yesterday marked the national rollout.

cancel ×

352 comments

Sorry! There are no comments related to the filter you selected.

They are niggers (-1, Troll)

Anonymous Coward | about 5 years ago | (#28961835)

Hear me out. Comcast does this because they are niggers. A campaign of thousands of e-mails sent to them that all say "you hijack DNS because you are NIGGERS" should leave an impression in their minds. Just imagine the internal meetings about THAT one.

Re:They are niggers (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#28962055)

Epic Fail Guy? Is that you?

/NOT A COWARD!!!
/maybe a little.

Serious question (2, Funny)

jabithew (1340853) | about 5 years ago | (#28961869)

I'm not an expert on DNS. Can someone explain to me, as simply as possible, why this is a bad thing? I understand that it's a pain to be redirected to some random ad-laden piss-poor search page, but what will this break?

This is not a troll or flamebait, I genuinely want some education.

Re:Serious question (5, Informative)

HeronBlademaster (1079477) | about 5 years ago | (#28961901)

You're IT for a business. You have employees who check their e-mail from home, accessing your stuff via a split tunnel VPN.

The computer tries to resolve internalmail.company.com, and normally this should fail, causing the computer to try the VPN's DNS server.

Instead, your employee's computer gets Comcast's search page server. Their mail client times out.

You get inundated with tech support calls.

Re:Serious question (3, Funny)

ground.zero.612 (1563557) | about 5 years ago | (#28962005)

You're IT for a business. You have employees who check their e-mail from home, accessing your stuff via a split tunnel VPN.

The computer tries to resolve internalmail.company.com, and normally this should fail, causing the computer to try the VPN's DNS server.

Instead, your employee's computer gets Comcast's search page server. Their mail client times out.

You get inundated with tech support calls.

I fail to see, using your scenario, why Comcast's DNS server would effect the company's internal DNS server, thus creating the conflict you alluded to. Since I'm not sure why Comcast would know anything about the company's internal network... If you meant:

The computer tries to resolve webmail.company.com , and normally this should fail, causing the computer to try the VPN's DNS server.

... then it almost makes sense... but only if you have a poorly constructed hosts file and route.

Re:Serious question (5, Informative)

Anonymous Coward | about 5 years ago | (#28962063)

It's a split tunnel VPN...

That means first it tries to use the internet, then it tries the VPN. If I lookup foo.bar, and foo.bar doesn't resolve, it then tries on the VPN's DNS. That helps keep external traffic off the VPN. Internal traffic is still safe.

Of course, if foo.bar instead of not resolving--points to comcast--then I never do the lookup...and the VPN ...is broken.

Re:Serious question (5, Interesting)

dirk (87083) | about 5 years ago | (#28962107)

To use an example from my company, we have many users with laptops. We have set up MS Outlook on these systems to use Outlook Anywhere. The way Outlook Anywhere works is that is first tries to connect to the internal mail server (mail.company.inside) and if it can't connect to that then tries the external mail sever for an Outlook Anywhere connection (mail.company.com). With a properly set up and unmunged DNS, when they are at home it tries to connect to the internal server and gets a DNS not found response and then tries the external server. With this new bothced DNS setup, it tries the internal server and gets an IP address response, so it tries to connect to that server to retrieve it's email. Unfortunately, the DNS sends the IP address of the web server that serves up it's ad page, so Outlook sits and times out waiting for a response, meaning these people can't get their email from home.

Yes, this could be worked around by host files, but we are 1000 person company. Why would we want to try setting up local host files on these systems that then have to be updated whenever we change servers just because an ISP doesn't want to set up DNS based on the proper specs?

Re:Serious question (2, Informative)

michaelhood (667393) | about 5 years ago | (#28962385)

Arguably this is less of a problem for an organisation like yours that [ostensibly] has some sort of deployment mechanism. You can probably easily configure your employees' laptops to use RFC-compliant DNS servers, whether yours or "public" ones.

That certainly doesn't make it any less evil on Comcast's part, though.

Re:Serious question (3, Interesting)

dirk (87083) | about 5 years ago | (#28962421)

Which seems like a good idea until they come in house. While they are at home and pointing to a RFC-compliant DNS server, it's great, but when they come in-house, they then can't see any of the internal servers because they are still looking at the external DNS server instead of the internal ones given by DHCP. It really is a no win situation.

Re:Serious question (5, Informative)

Daniel_Staal (609844) | about 5 years ago | (#28962123)

The name of the box is, of course, irrelevant. But you still have it wrong: Comcast's DNS server isn't affecting the company's internal DNS server, it is affecting their customer's box, who is your employee, making it so that they never query your internal DNS server.

This happens precisely because they don't know anything about the internal network, and yet they are telling your employee they do.

Re:Serious question (1)

Richard_at_work (517087) | about 5 years ago | (#28962481)

You should really not be making private requests publicly. Seriously.

Re:Serious question (4, Informative)

HeronBlademaster (1079477) | about 5 years ago | (#28962149)

I fail to see, using your scenario, why Comcast's DNS server would effect the company's internal DNS server, thus creating the conflict you alluded to. Since I'm not sure why Comcast would know anything about the company's internal network...

That's because you didn't pay attention to the scenario. We're talking about a split tunnel VPN. DNS resolution uses the following rules:

1) try the usual (external) DNS server first. If it resolves, use that IP address for the communication.
2) try the internal DNS (via the VPN) if step 1 returned NXDOMAIN, and if that resolves, use that IP address for the communication.
3) otherwise, return NXDOMAIN.

So if Comcast's external server returns a valid IP for the internal server, instead of NXDOMAIN, then your internal mail server will never be accessible to anyone using your company's VPN from a Comcast connection.

Re:Serious question (5, Interesting)

MightyMartian (840721) | about 5 years ago | (#28962199)

Using DNS lookups to tarpit certain kinds of spam. If everything resolves, then such methods simply fail.

Besides, interfering with DNS resolution is just plain bad. Quite frankly, I wish we had an organization controlling the root servers that had a backbone, and would simply stop answering queries from any network that decided to interfere with DNS resolution.

Re:Serious question (2, Informative)

Anonymous Coward | about 5 years ago | (#28962297)

OK, here's an example:

vpn client>> resolve internal.company.com
correct DNS server<< NXDOMAIN
vpn client routes VPN connection>> resolve internal.company.com
company's DNS service<< 10.1.99.12
result: VPN client knows to use the VPN connection for this route.

vpn client>> resolve internal.company.com
ass-backwards DNS server<< address of trojan-ridden.adserve.com
result: VPN client didn't receive NXDOMAIN, so it won't use the VPN tunnel for this route.
result 2: any connections attempted to this server will timeout, or (worse) will result in your company's documents scattered to a random server on the Internet
result 3: corporate helpdesk gets blamed
result 4: liability lawsuits

your example about webmail.company.com is exactly the wrong way around; you aren't trying to access a public service offered by company.com, you are trying to access an internal server. Asking this to any public, standards-conforming dns server, should result in a respone that says I don't know. Anything else will break the Internet.

Your point is correct, your example is flawed. (2, Informative)

IBitOBear (410965) | about 5 years ago | (#28962311)

Your example fails because internalmail.company.com will resolve through company.com, not dnsshill.comcast.com. That is "company.com" is authoritative for "internalmail.company.com" in the hierarchical name service system. The questions of what happens in this case is questionable. Especially since in your split tunnel you probably have prepended company.com's internal DNS resolvers in the name search space so that the VPN user sees the internal sites in preference to the external ones.

Your point is correct, your example is flawed.

IMHO, of course 8-)

Re:Serious question (2, Informative)

Anonymous Coward | about 5 years ago | (#28962363)

You did notice that the page at http://networkmanagement.comcast.net/DomainHelperLogic.htm says it must be preceded by "www." right? That would seem to invalidate your example...

Re:Serious question (0)

Anonymous Coward | about 5 years ago | (#28961911)

As if this hadn't been explained over and over again.

The Internet != The Web.

Re:Serious question (2, Informative)

Anonymous Coward | about 5 years ago | (#28961945)

All sorts of stuff. There's many systems that assume a certain behavior - that when a domain doesn't exist, you get an NXDOMAIN response rather than some other record.

For example, many VPN setups use this to decide which interface to chuck data down. When you try to access 'google.com' that gets a resopnse on the first try, so do that on the public side. When you try 'machine.company' that fails, so go try internal DNS and do it on the internal side.

I'm sure others can come up with more examples.

Re:Serious question (2, Informative)

blueg3 (192743) | about 5 years ago | (#28961965)

It's not being redirected to some search page that's the major problem. DNS is a lower-level function that the Web. Really what it's doing is replacing DNS responses indicating that a host or domain doesn't exist with a DNS response indicating that the host/domain is located at X IP address (the address of the search page). It doesn't know when it sends this response what the response will be used for. If it's for the web, you get the search page. Non-web applications will instead behave incorrectly or, at least, produce an incorrect error message.

Re:Serious question (1)

Shakrai (717556) | about 5 years ago | (#28962367)

Non-web applications will instead behave incorrectly or, at least, produce an incorrect error message.

There are applications on the internet that aren't web based? You must be into kiddie porn, software piracy, terrorism or all of the above. Please step away from the computer and await the arrival of the friendly men with the firearms and handcuffs. Don't worry, they are there for your protection.

Re:Serious question (1)

HomelessInLaJolla (1026842) | about 5 years ago | (#28961971)

The system was set up to work a particular way. Interfering with established web protocols could be, for a private citizen, prosecuted as a criminal act. Why should a corporation be allowed to do it for profit? Additionally, once you allow this sort of thing to happen, what is to prevent your ISP from monitoring, intercepting and redirecting all traffic? Imagine if you thought you were visiting Slashdot, because it looked and felt like Slashdot, but it was really your ISP's carefully scrubbed edition of Slashdot? Obviously you might enjoy it if they cleaned out all the trolls--but how about consider the implications of Slashdot losing a significant portion of its revenue because every ISP is redirecting all of the ad requests to their own ads?

Re:Serious question (2, Funny)

Shakrai (717556) | about 5 years ago | (#28962219)

Interfering with established web protocols could be, for a private citizen, prosecuted as a criminal act.

*sigh*, don't you think that's just a tad extreme?

Obviously you might enjoy it if they cleaned out all the trolls

Are you kidding? I only come here for the trolls ;)

Re:Serious question (1)

michaelhood (667393) | about 5 years ago | (#28962401)

Interfering with established web protocols could be, for a private citizen, prosecuted as a criminal act.

I stopped reading here. Let's save the ridiculous hyperbole for the mainstream media?

Re:Serious question (3, Informative)

MaerD (954222) | about 5 years ago | (#28962009)

If all you ever use is the web, that's the extent of your issue.
Now, say your im program is set to try several different dns addresses to connect. If one has been decommissioned (but the client not updated) and your IM will try to connect, possibly passing the username and password to the server that is returned by dns for "login2.whatever.com".

Even with the web, say you have a login for a store/bank/whatever, but the latest version of there page some web developer made a typo and instead of "placeyouwanttogo.com they put "placeyouwantogo.com" (notice the number of t's). Instead of giving you a "site not found" message, you've been redirected to an ISP page that gets all of the information you were trying to pass.

Now in my example, it's possible they could push you to a typo domain as well, but the point is dns is supposed to return "Hey this doesn't exist" to your client, which then should display an error message, determined by the application doing the dns request. If it's not http, it will look like you're trying to connect to a host and it will either be A) "Connection refused" B) Answer and confuse whatever application you are running or C) appear like a black hole and never connect.

Re:Serious question (1)

jabithew (1340853) | about 5 years ago | (#28962129)

Hmm, that bank example is very interesting and one I hadn't heard before. Thanks.

Re:Serious question (4, Informative)

Mrs. Grundy (680212) | about 5 years ago | (#28962037)

My ISP does this. They also have an 'opt-out' option, but you know what that does? It still doesn't send an NXDOMAIN response like it should. Instead it redirects me to a site that is serving the standard windows site-not-found page. A horrifying experience for this mac/linux user.

So I set up my own DNS server, which fixed the problem and sped up my internet connection since the ISP's DNS server was really slow.

Very Simple Answer (5, Insightful)

IBitOBear (410965) | about 5 years ago | (#28962187)

DNS is supposed to tell you (essentially) "no such domain name registered" when you try to find a domain name.

IFF (e.g. if and only if) DNS _only_ serviced web browsers, then one noise-page (my adverts here) is no different than any other noise page (no such name) because a human is going to go "oh, that's not what I was looking for".

But there is a heck of a lot more going on out here in the internet than just web browsing, and significant portions of it hinge on getting true and correct answers from the DNS system.

With DNS boned-up to return false positives on all names, then money can be stolen from you, the causal web browser. For instance, I send you an email from support@bankofamercia.com; you don't notice the transposition of letters, your spam filter looks up bankofamercia.com and the DNS service return as IP address instead of no such address, that address is the same one as I spoofed in the email, the spam filter says its a good email, you get owned.

Okay, that _is_ contrived, so try this instead...

It's 1964. You are at a pay phone. Your car has broken down. It's your last dime. You call home, but mis-dial a number that doesn't exist and you get a busy signal, and you get your dime back. You call home again and get help. The system worked.

It's 1964. You are at a pay phone. Your car is broken down. It's your last dime. You call home, but mis-dial a number that doesn't exist and some random person answers and proceeds to try to sell you car wax. Your dime is gone. You are still stuck. The system has failed.

Imagine your life if you _never_ got a busy signal. You call any extension in any company and you get to leave a voice mail but nobody will ever get that message. It would be living hell.

Worse yet, you run a small company, you may a small number of sales each month that are vital to your companies survival. You invest in an expensive advertisement on the superbowl and everything goes great. Then your DNS server dies. Now there is nobody to answer the proper DNS queries. The DNS squatter wakes up and since mylittlecompany.com no longer resolves, all that traffic goes to the Comcast Advertisement Shill page. In just a few minutes you get your DNS server working again, but everyone who got the bogus page thinks your company is trying to sell comcast telephone service and web search services and you never go that business. You are out big cash and your name is ruined. IF the spamvertisement page hadn't been there, those people might instead be thinking "wow, this service is so popular I cannot get in, maybe I'll try back in a bit" instead of "why did comcast decide to take out a superbowl ad that made it look like they sold that interesting little product?"

In short, what if every time your cell phone couldn't be found (because it was off or the battery died etc) the people trying to call you got silently redirected to a random "service" of the type one sees on late night television, offering jokes or sex chat, ostensibly in your good name?

That's what is wrong with doing that.

Re:Serious question (1)

Loconut1389 (455297) | about 5 years ago | (#28962289)

I live in Iowa and am on Mediacom, and here's an example of why it's bad.

For some reason my VMWare bridged ethernet setup screws up my network stack a little and every once in a while a site I was just visiting will fail to resolve and I get Mediacom's little yahoo enabled typosquatting service. For the life of me, I can't explain why a messed up network stack would cause mediacom's resolvers to dump me over to their little "service". Nevertheless, I get their "handy" redirects a number of times daily. Eventually the site starts resolving again, but in the meantime I have to access it from one of my VMs which usually work fine when my host system doesn't.

The point of this is twofold
1) Mediacom has been doing DNS hijacking for some time already
2) anyone care to explain how in the world my host system hits their pages for good sites but the guests usually do not?

Re:Serious question (1)

michaelhood (667393) | about 5 years ago | (#28962441)

2) anyone care to explain how in the world my host system hits their pages for good sites but the guests usually do not?

Varying DNS configuration in the host/guest OS's?

If you are using a consumer router/gateway device for your WAN, try setting your host and guests' DNS servers to the LAN IP of the router, most will pass DNS queries on to the NS it was given in its' DHCP lease.

Re:Serious question (1)

michaelhood (667393) | about 5 years ago | (#28962353)

Web browsers aren't the only thing that uses DNS.

Properly functioning, if your DNS servers fail to respond, the ISP's name servers (that are configured on your system, usually by DHCP) would return an "NXDOMAIN."

This allows software to correctly inform the user that the host wasn't able to be resolved; when rogue ISPs like Comcast decide to start returning a different (and arguably hostile) IP for a host they can't resolve, instead of returning NXDOMAIN, stuff breaks and causes headaches for software developers, support, end users, and so on.

Opt-out page down already? (1)

v1k (958019) | about 5 years ago | (#28961871)

How convenient.

Re:Opt-out page down already? (1)

HeronBlademaster (1079477) | about 5 years ago | (#28961923)

It was down three weeks ago when the story ran the first time. It eventually came back up.

Re:Opt-out page down already? (1)

Tacctc (941413) | about 5 years ago | (#28961949)

I think its internal to the Comcast network. I can't access it from work but I can get it just fine from my home PC.

Re:Opt-out page down already? (4, Interesting)

HeronBlademaster (1079477) | about 5 years ago | (#28961977)

Which, if true, makes the opt-out process even more ludicrous. If I'm at home opting out, shouldn't they just DETECT my mac address, and do the opt-out automatically?

Instead, I had to enter my mac address manually (along with my e-mail address) - and then they told me it would take two business days to go through. (Granted, I got a confirmation e-mail the next day saying it was done, but why isn't this automated?)

Re:Opt-out page down already? (2, Informative)

snowraver1 (1052510) | about 5 years ago | (#28962313)

It depends how integrated the system is. Your mac is only visible in the IP header until your packet hits a router. At that point your MAC gets stripped off and the router's MAC replaces it. I am assuming that your packet would pass through a router before hitting the web page, so it isn't as easy as reading the source address of the packet.

I guessing that when you opt-out, you give them your MAC so that they can assign you to a different IP address pool. Then they just decide if you get hijacked or not based on the source IP address.

Re:Opt-out page down already? (1)

michaelhood (667393) | about 5 years ago | (#28962473)

AFAIK, it's not possible for a cable ISP to simply "detect" your MAC address. They probably log the IPs assigned to MACs for auditing/subpoena purposes, but this isn't some simple ip2mac() thing they can call.

As for the delay in processing your opt-out- I imagine the database/configuration isn't written on-the-fly as people submit requests, but is handled in batch jobs in off-peak times like most everything else in legacy systems.

Re:Opt-out page down already? (1)

jlivingood (1572291) | about 5 years ago | (#28962407)

It was not down then and it's not down now. You need to be on the Comcast network to access it.

Re:Opt-out page down already? (0, Troll)

Stu1706 (1392693) | about 5 years ago | (#28962023)

Knowing Comcast, I am surprised it took them this long to start the hijacking. I am also surprised they even have an opt-out page to take down. I would not be surprised if you had to pay a fee to opt out.

Re:Opt-out page down already? (1)

HeronBlademaster (1079477) | about 5 years ago | (#28962073)

This long? Slashdot ran this story weeks ago.

Treewalk or OpenDNS (1, Informative)

ground.zero.612 (1563557) | about 5 years ago | (#28961873)

I officially advocate the use of Treewalk and OpenDNS for all Comcast subscribers such as myself. Because after all, if I don't use their DNS, why should I care where they are directing non-existant domain traffic to?

Not OpenDNS (2, Insightful)

sakdoctor (1087155) | about 5 years ago | (#28961993)

4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6

At least this story doesn't have OpenDNS in the "from the X department" this time.
OpenDNS does exactly the same thing, so you might as well stick with your comcast servers.

Re:Not OpenDNS (1)

ground.zero.612 (1563557) | about 5 years ago | (#28962053)

4.2.2.1 4.2.2.2 4.2.2.3 4.2.2.4 4.2.2.5 4.2.2.6

At least this story doesn't have OpenDNS in the "from the X department" this time. OpenDNS does exactly the same thing, so you might as well stick with your comcast servers.

You're actually trying to claim that OpenDNS's bounce pages are as bad as Comcast's? Ok fine. Then what's wrong with Treewalk?

Re:Not OpenDNS (1)

Shakrai (717556) | about 5 years ago | (#28962273)

You're actually trying to claim that OpenDNS's bounce pages are as bad as Comcast's?

Who gives a shit about the bounce pages? My concern is that the lack of a proper NXDOMAIN response will break various applications whose authors were foolish enough to think that the RFCs would be followed. In that respect OpenDNS is no better.

I'm glad I have the knowledge and ability to run my own DNS server and don't have to deal with this bullshit.

WTF? (2, Insightful)

sakdoctor (1087155) | about 5 years ago | (#28962361)

There shouldn't be any hijack page, simple as that.
And yes, you can register an account for OpenDNS. But why would anybody here be advocating standards-breaking, overcomplicated, web-based nonsense?

There is nothing wrong with Treewalk, which is why I didn't mention it.

Re:Treewalk or OpenDNS (2, Informative)

jaygridley (1016588) | about 5 years ago | (#28962029)

OpenDNS is not a solution. They do the same thing.

Re:Treewalk or OpenDNS (2, Informative)

HeronBlademaster (1079477) | about 5 years ago | (#28962049)

They do the same thing.... unless you register an account. Why do people always leave that part out?

Re:Treewalk or OpenDNS (1)

Reece400 (584378) | about 5 years ago | (#28962161)

True, but in reality it's probably easier for comcast users to use the working opt out option. For Bell users that don't have that option it's a good solution.

Re:Treewalk or OpenDNS (2, Interesting)

jaygridley (1016588) | about 5 years ago | (#28962359)

Everything that I've seen on the OpenDNS website is to the contrary, (and I have an account.) Care to share the secret?

Re:Treewalk or OpenDNS (0)

Anonymous Coward | about 5 years ago | (#28962419)

Wait, really?! I have an account with OpenDNS and for the life of me I can't find any option that says "RETURN NXDOMAIN INSTEAD OF A BOUNCE PAGE". That'd be awesome if I'm just missing it somewhere.

Re:Treewalk or OpenDNS (1)

Sir_Lewk (967686) | about 5 years ago | (#28962429)

Because then they sell your data and that only works if you happen to be logged in at the time, something that will probably become an issue if you use a laptop for instance.

If you're willing to put up with that crap then fine, but it's not a valid fix for DNS hijacking.

Re:Treewalk or OpenDNS (1)

Fallen Kell (165468) | about 5 years ago | (#28962111)

Personally I have not used Comcast's DNS in years because it has been so unreliable. There has only been 1 time I have had service outage that was not due to Comcast's DNS servers not responding in all the years that I have had Comcast internet. I have also only had to call Comcast 1 time, and it was because the reverse lookup on my IP address was wrong, again, their DNS servers and DNS system is crap. I have long been using the 4.2.2.x, and 4.4.4.x servers for my DNS, ever since I totally gave up on Comcast being able to keep a properly working DNS server up and running.

Re:Treewalk or OpenDNS (5, Informative)

Sir_Lewk (967686) | about 5 years ago | (#28962375)

HOLY FUCKING SHIT

STOP SUGGESTING OPENDNS, THEY DO THIS SHIT TOO.

Excuse my while I go blow a bloodvessel. Every single time a story like this comes up some idiot suggests OpenDNS and idiot mods initially mod them up.

I'd link where this happened last time but for the life of me I can't figure out how to view more than my several dozen posts.

Re:Treewalk or OpenDNS (1)

ground.zero.612 (1563557) | about 5 years ago | (#28962451)

Wow you typed in caps so I could hear through my monitor's screenmuffs. Way to go! Comcast is evil, to put it in /. terms, Comcast is Microsoft evil. I would much rather see OpenDNS's bounce page than evil Comcast's.

Re:Treewalk or OpenDNS (1)

Seakip18 (1106315) | about 5 years ago | (#28962457)

Don't worry. I've got it for you right here. [slashdot.org] Make sure you notify your next of kin before clicking thru.

Re:Treewalk or OpenDNS (4, Interesting)

horatio (127595) | about 5 years ago | (#28962433)

Because after all, if I don't use their DNS, why should I care where they are directing non-existant domain traffic to?

Using OpenDNS, Treewalk, ns1.sprintlink.net, etc doesn't matter because a) Returning the A record when the domain does not exist blatantly violates the RFCs: the established commonly agreed upon standards without which the internet would cease to function and b) some ISPs redirect your DNS traffic to their servers whether you like it or not. Some outright block DNS servers that don't belong to them, and others silently redirect your requests. c) In the README file of your latest application, you shouldn't have to tell everyone that they need to use your DNS servers just to get a *correct* response.

It isn't just you at home with your pr0n that has to deal with this BS. I have to deal with it where I work, because my company's ISP is a cable provider who does this redirect crap. So when I go to write an app that *might* use DNS, I have to screw with this nonsense because the cableco can't be bothered to return an NX - but instead always returns an A record for their server - subject to change without notification. So when they change to redirect to another server, wtf am I supposed to do then? The only way my app could possibly tell there was a problem is to see if the response matches this redirect server. And no, it isn't an option for my application to just willy nilly pick a DNS server of its choice to use. My application requests a lookup from the OS's network layer, but has no particular knowledge of the DNS servers - exactly how it is supposed to be.

If I give my app to other people, are they supposed to put into the app's configuration the A record information that would correspond to their particular ISP's "redirect" host? My app needs to know when the DNS lookup failed. I have no way to tell when every damn name returns an A record. I count on the DNS server to respond in the way the RFCs set out. Comcast and the other ISPs are saying "fuck your rules"

As has been said until we're blue in the face:The internet is not the web. If the ISPs and the browser folks want to sit down and see what the RFC permits and figure out how to return a url in the NX that the browser would recognize and could handle, then I have no problem with that. As long as it doesn't interfere with the normal operation of an NX response. As I'm sitting here thinking about it, the place for this information seems to be either in the DHCP lease, or in the wpad.dat auto-proxy configuration file. But Comcast and the others like them have decided they don't have to play well with others.

Repeat? (2, Insightful)

HeronBlademaster (1079477) | about 5 years ago | (#28961877)

Is it just me or was this story on slashdot like three weeks ago? And I complained then? And we all opted out?

Re:Repeat? (0)

Anonymous Coward | about 5 years ago | (#28961909)

It is a repeat.

Re:Repeat? (0)

Anonymous Coward | about 5 years ago | (#28961997)

Yes [slashdot.org] . My understanding is that last time it was "selected market testing". Not sure if this story is any different.

Off mah dns partnah (-1)

Anonymous Coward | about 5 years ago | (#28961881)

Suppose a shotgun to the head would also stop this?

Re:Off mah dns partnah (0)

Anonymous Coward | about 5 years ago | (#28962447)

Yea, unless you accidentally missed. Then you probably would end up hitting one of the advertisers instead.

Wait... That idea has merit.

Personal caching nameserver? (1)

ghostis (165022) | about 5 years ago | (#28961895)

Does anyone have a pointer to clear instructions for setting up a caching nameserver on various platforms and configuring those platforms to use it?

Re:Personal caching nameserver? (1)

Muad'Dave (255648) | about 5 years ago | (#28962057)

I have one running one an NSLU2 [wikipedia.org] . There's a tutorial on this site [nslu2-linux.org] somewhere to install linux and configure dnsmasq.

Re:Personal caching nameserver? (1)

sakdoctor (1087155) | about 5 years ago | (#28962097)

On ubuntu:
sudo apt-get install bind9
will give you a working caching nameserver.
This page gives info about maintaining root hints: http://tldp.org/HOWTO/DNS-HOWTO-8.html [tldp.org]

On windows XP I've been using Posadis which sort of sucks, except when compared to all the others I tried.

Re:Personal caching nameserver? (1)

Daniel_Staal (609844) | about 5 years ago | (#28962185)

That may or may not solve the problem, depending on how the ISP is implementing the hyjacking. If they have just set up some records in their DNS boxes, then yes, setting up your own namesever will solve the problem. If they are capturing all UDP port 53 traffic and handling it themselves, then it won't.

I noticed this yesterday (3, Interesting)

lothos (10657) | about 5 years ago | (#28961899)

I noticed this yesterday, and they only seem to hijack www.example.com, and not example.com or ftp.example.com.

Still a pain in the ass, and I'm in the process of opting-out. The opt-out is pretty easy, and I've also sent an email to comcast regarding this.

Re:I noticed this yesterday (1)

HeronBlademaster (1079477) | about 5 years ago | (#28961955)

I opted out, then I called in and complained. You should too. (You'll note that the opt-out page tells you "this will take 2 business days". Seriously, it should be automated.)

I figure, if enough of us waste their customer support time (costs them like $8/call), they'll realize we really don't want them to do this, and they'll stop it.

I'm probably dreaming, though.

Re:I noticed this yesterday (1)

JayAitch (1277640) | about 5 years ago | (#28962175)

I'm afraid the lackey at the other end will try to make me go through their troubleshooting script. "Please remove the power cable from the back of your router and cable modem..." This isn't a problem with my cable modem!!! (this time)

Re:I noticed this yesterday (1)

HeronBlademaster (1079477) | about 5 years ago | (#28962255)

No, don't call in for the opt-out. Just call in to complain about the fact that they're doing it at all. Preferably including a lengthy technical description about why it's a terrible idea and breaks the internet.

Re:I noticed this yesterday (1)

michaelhood (667393) | about 5 years ago | (#28962511)

No, don't call in for the opt-out. Just call in to complain about the fact that they're doing it at all. Preferably including a lengthy technical description about why it's a terrible idea and breaks the internet.

I'm sure the script-reader in Comcast's "support" will be enamored at your "lengthy technical description."

Most of these people hate their jobs as much as we hate the existence of their positions.

Bottom line: If they're polite and helpful, I think it's being a bit of a jackass to annoy them and waste their time. If they're snippy and rude (commonly are, unfortunately) then it's fair game. :)

Re:I noticed this yesterday (1, Informative)

Anonymous Coward | about 5 years ago | (#28962195)

Likely the opt out is based on resetting the modem, which they don't like to do unless they have too. push a different profile to it is my guess.

Re:I noticed this yesterday (2, Funny)

dyingtolive (1393037) | about 5 years ago | (#28962039)

The opt-out is pretty easy, and I've also sent an email to comcast regarding this.

Hello lothos,
We received your email regarding the easy opt-out, and we would like to take the time to assure you that we are doing everything in our power to make this much more difficult. We apologize for any conveniance you may have encountered, and thank you for being a valued Comcast customer!

Best Regards,
Comcast Support

Re:I noticed this yesterday (1)

Tacctc (941413) | about 5 years ago | (#28962087)

I'm seeing the same thing from my connection.

Doing a wget comcastisashittyisp.com returns a proper NXDOMAIN response, however wget www.comcastisashiityisp.com returns http://search2.comcast.com/?cat=dnsr&con=ds&url=www.comcastisashittyisp.com [comcast.com] .

Re:I noticed this yesterday (1)

HeronBlademaster (1079477) | about 5 years ago | (#28962205)

Interesting. That wasn't the case last time this story ran.

fucking idiots.....at least I have BIND (5, Informative)

Indy1 (99447) | about 5 years ago | (#28962017)

I've always used a linux box as my firewall /router box at home, and I've been running BIND as a caching DNS server. Fortunately this won't affect me, as I totally bypass spamcast's bullshit.

The flip side of net neutrality (3, Interesting)

MikeRT (947531) | about 5 years ago | (#28962019)

No new legislation is needed. Just get the courts involved. Let content providers sue the heck out of Comcast for making a dime off of abusing their domain names. The ISPs think that Google, etc. are "using their pipes to make money," well this is using the content provider's domain and brand to make money. Technical details aside, the effect on the relationship between the content provider and their users is the same whether it is literally hijacking control over the subdomains or creating the perception to user that that is happening. No matter what Comcast may claim, they are altering the relationship between the domain holders and their users.

Re:The flip side of net neutrality (3, Informative)

dissy (172727) | about 5 years ago | (#28962491)

No new legislation is needed. Just get the courts involved.

Exactly. This act is already illegal. It is called typo-squatting.

http://thomas.loc.gov/cgi-bin/query/z?c106:S.1255.IS:= [loc.gov]
Specifically, see section 3, (2)(a), and probably (2)(b) as well.

Now we just need as many people as we can get, whom have a domain name which is trademarked, to press charges against comcast under this law for your own domain.

`(i) an award of statutory damages in the amount of--

      `(I) not less than $1,000 or more than $100,000 per trademark per identifier, as the court considers just; or
      `(II) if the court finds that the registration or use of the registered trademark as an identifier was willful, not less than $3,000 or more than $300,000 per trademark per identifier, as the court considers just; and
      `(ii) full costs and reasonable attorney's fees.

Chances are since the main purpose of this change is for ad revenue, and not a willful infringement, only line (I) will apply.
Additionally, you probably can't get the 'bad faith' additions applied, unless you can somehow prove the ads served on their 'page not found' fake-page happen to be ads for your competition.

But a minimum of $1000 plus attorney fee's is pretty decent if you have nothing better to do...

Clinton Rescues U.S. Spies Captured By N. Korea (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#28962021)

Debriefing at C.I.A. headquarters to occur shortly.

Read about it here [huffingtonpost.com] .

PatRIOTically Yours,
K. Trout

Whats this? (1)

Steauengeglase (512315) | about 5 years ago | (#28962089)

Huh, the link keeps going to something about net neutering. Oh well.

Method? (1)

The Moof (859402) | about 5 years ago | (#28962103)

Does anyone know which method they're using to intercept the DNS? There was an article on here a few months back about them redirecting all port 53 traffic to their servers ('testing in a small market' or something). Other cases usually just configure the nameservers issued via DHCP to respond for NX records with their A for search pages.

I ask because if they're redirecting all port 53 traffic, using your own servers (or anyone else's) won't do you much good. Also, it's legality is questionable.

"Accidently" Hacking their Server (4, Interesting)

blueskies (525815) | about 5 years ago | (#28962131)

So if you are trying to pen test some machines you own and Comcast points you to their server who is to blame? Are you really responsible if Comcast hijacks your DNS requests and sends you to their server?

I was testing against a known invalid DNS entry (ie: personally owned but not parked domain name). How are you responsible when they hijack your connection?

Even better is when someone pwns Comcast's server and and exploits all of Comcast's customers with a browser exploit hosted there.

Run your own (1)

WindBourne (631190) | about 5 years ago | (#28962211)

Simply run bind9 on your system. Comcast will not stop you.

This one is strange... (0)

Anonymous Coward | about 5 years ago | (#28962239)

I only have a basic understanding of DNS but the last time I saw this the non-existing domain would always resolve to some address.

When I got this email from Comcast last night, I typed a non-existing domain into my browser and it brought up a Comcast page. However, when I tried to ping the same domain it came back as a non-existent domain.

Re:This one is strange... (1)

MightyMartian (840721) | about 5 years ago | (#28962279)

If a DNS query resolves, it resolves. Are you sure you just weren't getting a non-response from the packets being sent out? The resolver sits beneath any particular software doing host name lookups, so whether it's a ping, a browser, a mail client or whatever, it would still be the same resolver asking the Comcast DNS servers.

At least Comcast is using MAC addresses (1)

dacut (243842) | about 5 years ago | (#28962247)

At least Comcast got the opt-out implementation right. It's done by the cable modem's MAC address, which means that all DNS lookup traffic will start getting NXDOMAIN queries. Oddly, their instructions indicate that this only takes effect when your modem does its next DHCP client lease. My guess is they've blocked off a range of IPs as "opt out," and just assign your MAC to get a lease from the out out range.

I'd greatly prefer it if Comcast had just left things alone, of course; at least, though, they didn't fall into the old "The Web is the Internet" fallacy like Bell Canada.

comcast sponsors standards work on this topic (4, Informative)

Anonymous Coward | about 5 years ago | (#28962275)

http://tools.ietf.org/html/draft-livingood-dns-redirect-00

note where author works.

Err just which of the cablemodem MACs do they want (0)

Anonymous Coward | about 5 years ago | (#28962287)

I just looked at my cablemodem and it has 4 MAC addresses associated with it:

HFC MAC Address
Ethernet MAC Address (probably not?!)
CM USB MAC Address
CPE USB MAC Address

I suspect that it is the first?

No sense entering it until I know if it makes a difference or just allows the scam to go on.

Thanks!

Intentional and Malicious Obfuscation (2, Informative)

tomvon (960633) | about 5 years ago | (#28962317)

I had to jump through hoops to get the hijacking removed from FIOS. There's no way an average user would be able to do it. Verizon's instructions weren't even even accurate, I had to Google to get the right directions that were put up by some bloggers. I'm sure it was all Verizon's intention to keep the direction so cryptic and flat out wrong. Fuck the phone and cable companies and the fuckwad senators and congresspeople that let these sleazebags get away with this shit. I'm so fucking tired of having everything be a battle all the fucking time with these "services". What the fuck ever happened to competition in the US? There's like only 3 companies for any industry. Too big to fail my ass.

Optimum Online in NY also started recently (2, Informative)

PingXao (153057) | about 5 years ago | (#28962319)

They've got about 3 million subscribers in the NY metro area (CT, NJ and NY excluding Manhattan). They just started doing this a couple of months ago. I noticed it when my DNS queries started failing completely. Seems I had changed my DNS servers to ones not owned by Optimum (aka Cablevision) because of speed issues, and with their most recent change they're also blocking DNS queries directed to servers other than their own.

Don't look for the latest net neutrality bill to fix this. All that is is the ISPs making the bag of bribes bigger until the greed of Congress can no longer resist.

Not "more sensible" (0)

Anonymous Coward | about 5 years ago | (#28962329)

"The good news is that the opt-out is a more sensible registration based on cable modem MAC"

It's better than cookies, yes, but it is still broken. Is it *so* difficult for them to require people to opt-*in* to get this nonsense? If I'm paying for DNS services, why is it unreasonable to expect them to be correctly implemented to standards, rather than hijacked? At the very least, where's my cut? Can I get a reduction in fees for putting up with a reduced/defective service?

It still takes 2 days to opt-out. (4, Funny)

WarJolt (990309) | about 5 years ago | (#28962331)

Your opt-out request has been confirmed. We will complete processing of this request within 2 business days.

I wonder if /.ing the Comcast request page makes it take longer. ;-)

Re:It still takes 2 days to opt-out. (3, Informative)

nweaver (113078) | about 5 years ago | (#28962485)

The latency comes from two factors.

The biggest is because Comcast gives very long DHCP leases, and the change doesn't propagate to your system until your access device gets a new DHCP lease.

The second is they probably batch updates to the DHCP server to say who's opted-out.

If you want to have it go faster, after going to the opt-out site, reset your cable modem and your NAT box and it will probably take effect right away. If that doesn't work, wait an hour and try again.

1-800-comcast (2)

Alien Being (18488) | about 5 years ago | (#28962333)

If you have about ten minutes be sure to give them a call. Explain to them that they're breaking basic internet functionality, the very service you're paying for.

No ISP should ever supply bogus dns info for domains they don't own.

Cox opt out (2, Insightful)

cprocjr (1237004) | about 5 years ago | (#28962403)

My ISP Cox did this and to opt out of it all you had to do was change your DNS server to another one that they provided. In my opinion this is much better than cookies and router MAC addresses because you can do it on a computer by computer basis.

Opted out a while ago. (1)

Anonymous Freak (16973) | about 5 years ago | (#28962405)

Worked fine, I get the proper NXDOMAIN response. No goofy fake 'domain not found' page, like bellca.

WTF?!? Yesterday I was getting NXDOMAIN correctly, today I'm back on to their crappy search page! Dammit, I opted out when they first announced this! Comcast, you bastards!

Comcast (1)

elrous0 (869638) | about 5 years ago | (#28962437)

The funny thing is that Monday morning I saw Comcast's executive vice president on CSPAN-2 saying that they fully supported the principle of net neutrality.

Comcast's version is orders of magitude better... (4, Informative)

nweaver (113078) | about 5 years ago | (#28962439)

Comcast's version is an order of magnitude better than everybody else's.

a: There is a REAL opt-out, that puts your DHCP lease to point to a DNS resolver that doesn't do this. I'll have to do this when I get home. Compare this with, eg, Verizon's pitiful opt-out instructions involving manually changing DNS settings [verizon.net] .

b: IF you had manually set your DNS resolver to a Comcast server, you are unaffected (they added new resolver addresses to do this), per previous discussions by the Comcast folks over at Broadband Reports.

c: It does NOT get *.whatever, only www.*.(TLD), thus even when you don't opt out, it is at least limited to web-related typos. This is actually a big deal, as I think Comcast is the first one NOT to do it for everything.

I don't like NXDOMAIN wildcarding (it was one of the motivations behind building the ICSI Netalyzr), but if an ISP is going to do it, Comcast's is actually well constructed to both limit collateral damage (it only gets www.*) and be able to be bypassed with a real opt-out.

Time for the botnets to get busy (0)

Anonymous Coward | about 5 years ago | (#28962449)

Someone with a large botnet should leech the hell out of non-existent domains via http, on all infected machines that are online via Comcast or Bell.

Old news (1)

HunterZ (20035) | about 5 years ago | (#28962469)

WTF, this is old news! There's even a link to the month-old story in the "related stories" box below the summary. Why is Slashdot posting a freakout story that makes it sound like it just came out of nowhere all of a sudden?

OpenDNS (1)

murreyaw (96319) | about 5 years ago | (#28962479)

Are they only jacking folks that use their DNS servers, or all DNS Requests from their network?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>