Comcast DNS Redirection Launched In Trial Markets 362
An anonymous reader writes "Comcast has finally launched its DNS Redirector service in trial markets (Arizona, Colorado, New Mexico, Oregon, Texas, Utah, and Washington state), and has submitted a working draft of the technology to the IETF for review. Comcast customers can opt-out from the service by providing their account username and cable modem MAC address. Customers in trial areas using 'old' Comcast DNS servers, or non-Comcast DNS servers, should not be affected by this. This deployment comes after many previous ISPs, like DSLExtreme, were forced to pull the plug on such efforts as a result of customer disapproval/retaliation. Some may remember when VeriSign tried this back in 2003, where it also failed."
Here We Go Again (Score:5, Informative)
Some may remember when VeriSign tried this back in 2003, where it also failed.
Oh yeah, way back in the day. But let us not forget Earthlink's [slashdot.org] attempt at this [slashdot.org] or Canadian Rogers Cable [slashdot.org] or Charter [slashdot.org] or NJ Cabelvision [slashdot.org] or ... I'm sure you could find no end to this stream of providers offering their customers something the customers simply do not want.
And I'm pretty certain most of those ended or resulted in customers bitching out the provider. Yet here we go again. Why? Well, that's simple: ad revenue.
A LOT of ISPs already do this... (Score:5, Informative)
I don't want to name names, but Netalyzr [berkeley.edu] showed that several major ISPs already do this, and allows you to check for yourself what the behavior is on your network.
Comcast is following the lead of other major ISPs which have been doing this for some time now.
Re:So should... (Score:5, Informative)
Except for the bit where Comcast users not using Comcast DNS servers are unaffected, as per TFS.
Unless you're complaining that they could, in theory, redirect port 53. Frankly, anyone remotely familiar with how the Internet works should know that your ISP *could* completely and arbitrarily control any nonauthenticated protocol, including DNS.
Re:Here We Go Again (Score:5, Informative)
If I'm not mistaken (although I often am, sorry in advance) Cox has been doing this for months now, and nobody posted anything about that. If I 'typo' a URL at home, when connected via my (or my neighbor's) Cox cablemodem, I get a Verisign page indicating that www.whateveriswas.com is Under Construction.
Is this not muchly the same thing??
It pisses me off, but not enough to hunt down a better alternative.
Re:Here We Go Again (Score:2, Informative)
Rogers is still doing it.
Re:So should... (Score:5, Informative)
OpenDNS does exactly the same. (unless you register account and change it, but thats the case with this comcast thingie aswell)
Re:Best DNS alternative w/o redirection? (Score:1, Informative)
Re:I just signed up the competition... (Score:5, Informative)
AT&T ... they aren't keeping a database of my URL lookups7.
Until the NSA asks [eff.org] them to. Let's not pretend that AT&T isn't evil.
Lots have failed, but some have succeeded (Score:5, Informative)
Re:So should... (Score:5, Informative)
OpenDNS does the exact same thing. To avoid DNS highjacking if you use OpenDNS, you have to have an account with them, change your preferences and always be identifiable to OpenDNS so that it can apply your preferences. It's easier to opt out at Comcast than to opt out at OpenDNS. Besides, OpenDNS also redirects www.google.com to OpenDNS servers, not just nonexistent domains.
Re:So should... (Score:5, Informative)
Re:The Sky isn't faling. (Score:5, Informative)
It doesn't redirect you to a third-party site owned by the NSA; it redirects you to a third-party site, full stop. This not only breaks a whole host of applications relying on DNS to inform them that a domain name doesn't exist, but it is in violation of the standards that hold the Internet together.
Re:Best DNS alternative w/o redirection? (Score:5, Informative)
I use Level3's anycast dns resolvers. They are fast and work great. Pair them with a local dns cache and you'll be golden.
4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6
In case you don't know about anycast.
http://en.wikipedia.org/wiki/Anycast [wikipedia.org]
Re:So should... (Score:5, Informative)
Why do these OpenDNS posts keep getting modded up? OpenDNS utilizes the very practices this article bemoans! If you query a domain that does not exist, your browser is redirected to OpenDNS's ad-laden spam site.
Despite their claims to the contrary, OpenDNS's servers are likely farther away from you than your local ISP's. They also keep permanent logs of all queries, which could be subpoenaed by a government entity. Their joke of a privacy policy allows them to sell your logs to "Affiliated Businesses", which pretty much means anybody. Not that it really matters - they could amend their privacy policy tomorrow morning and be selling your info by the afternoon.
I think many people read the "Open" part of the OpenDNS name and turn their brains off.
Opt Out if you're not cool with this (Score:2, Informative)
Re:Here We Go Again (Score:3, Informative)
I believe my Verizon DSL service does this. It can be disabled either by changing your computer DNS settings or modem settings depending on which modem you use.
Verizon Support - Opting out of DNS assistance [verizon.net]
Re:Call it what it is (Score:3, Informative)
Yes it is. What you described is the very definition of typosquatting, if you add the point of what you see on this "GUI interface" (which is the job of your browser to create, btw.)
And if you think about them paying for servers to display this "interface", you will know that there is a reason they do this:
To make money. Obviously.
And what is the reason, that typosquatters add a "GUI interface" to unused domains?
Also to make money. Obviously.
Point proven. :)
Re:Here We Go Again (Score:5, Informative)
Re:malware (Score:5, Informative)
In what way is this relevant to OpenDNS? They actually do the same dirty trick aswell. Just because they have "open" in their name doesn't mean they're great and everyone should use them. They run their DNS servers to make profit from non-existing domains and hell, they even redirect requests to google.com to their own servers.
Thankfully there are open dns servers that dont do such either, for example university in Gothenburg, Sweden: 129.16.1.53 and 129.16.2.53 and several others. Those that have the technical knowledge can also set up their own dns recursive dns servers on their linux box and use those directly (while it fetches the results from root servers)
Re:I just signed up the competition... (Score:2, Informative)
Re:I just signed up the competition... (Score:3, Informative)
But you do know about the special rooms on the AT&T trunk lines that monitor all the traffic for the NSA, right?
Not that me using Qwest stops my traffic from being monitored too, but at least I am not directly supporting AT&T (or Verizon) and their habit of handing over whatever information is asked without requiring a search warrant to back it up.
Qwest refused to hand over data without a search warrant.
Re:Bad assumption being made (Score:3, Informative)
That depends. If you have server authentication, it won't. More importantly, if the Comcast server doesn't listen on any port but 80, it certainly won't.
If you were relying on correct DNS responses to provide security (such as preventing your login credentials from being given away), you were doing it wrong in the first place.
Re:So should... (Score:4, Informative)
Re:malware (Score:5, Informative)
Easy, through innovation and distinct added value. Shouldn't take a rocket scientist to figure it out but apparently it does. Recently, our ISP decided to offer a brand new service allowing you to double your bandwidth simply by adding another DSL line. Guess what, they are now the fastest growing ISP in Canada.
Schemes like DNS redirection are a scam and should be banned unless they contain no advertising or indirect revenue generation whatsoever.
Re:So should... (Score:3, Informative)
When opendns started it was precisely that - an open DNS system which even had its own set of free TLDs to play with.
Then they smelled money. And the rest is history.
Use the anycast DNS at 4.2.2.1, 4.2.2.2, etc. Run by Level3 who have plenty of money anyway and don't need to nickel and dime DNS for it.
Re:Here We Go Again (Score:5, Informative)
No, you threaten to sue them for lost company profits caused by their DNS hijacking and interfering with your work routine, and that you can 100% prove it and have documented everything relevant. That'll get you out of your contract in a hurry.
I just used that to help a motor sports company out here in CA get out of their contract with Comcast.
Re:Who's providing a backdoor DNS service? (Score:5, Informative)
It's not like Comcast is going to be intercepting all DNS traffic and routing it through their spammy DNS servers.
Why not? As raddan posted above me, Sprint already did this with their aircard service. The huge majority of customers won't notice the difference since they don't know about alternative DNS servers.
Re:What would this look like? (Score:3, Informative)
The web page looks the same. You have to look at the DNS results (or the TCP connections) to see what's going on. If you're using Windows, open a command prompt and compare the outputs of
nslookup www.google.com 4.2.2.1
and
nslookup www.google.com resolver1.opendns.com
The first parameter is the query, the second is the server. 4.2.2.2 is the anycast address of one of Level3's DNS resolvers, which implement DNS correctly. The result of the second command is a CNAME under the opendns.com domain and an IP address which belongs to OpenDNS LLC (you can verify this by asking whois.arin.net for information about the address with a whois client).
Re:malware (Score:5, Informative)
Try looking at the entire service. So far as I have been able to tell, you can turn off every single one of their "features", giving you a simple, straightforward dns service.
And for those replying to you confused about the google thing - they don't
. What they do is provide a dns entry for www.google.com that points to their own servers. These servers proxy the real www.google.com to strip out some functionality that opendns found particularly offensive (I have not experienced the functionality, and can't say whether I agree or disagree with their views). However, like every other "feature" I've found at OpenDNS, you can turn this off. Yes, at first you couldn't. I stopped using OpenDNS for awhile. Now you can.
Re:malware (Score:1, Informative)
Re:malware (Score:3, Informative)
The real nasty issue with these services are that they are claimed to be helpful to users. The issue is that it is not helpful. Modern browsers already provide options to redirect NXDOMAIN's to a search engine, or other useful things.
For example, Google chrome provides a nice page that says "DNS error - cannot find server" in the corner, and provides a helpful search box that is pre-filled with the words found in the domain name. (I have no idea what algorithm is being used to find the word breaks, but it seems to work reasonably well.)
If you have Google Toolbar installed in IE, it does the same thing (except for having Google Toolbar branding rather than Chrome Branding).
Other common search toolbars provide similar services.
I will admit that IE's default error page, and Firefox's default error page are not as helpful to most users, but rather than hijack DNS, why don't you (ISPs) just add the "feature" to the IE toolbar you provide on your Set-Up CD. Those who have no use for such a service don't use those CDs anyway.
Re:What would this look like? (Score:5, Informative)
If you don't believe it, try the commands for yourself:
-=-=-=-=-
overmind% nslookup
Default Server: localhost
Address: 127.0.0.1
> set querytype=a
> www.google.com
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
Name: www.l.google.com
Addresses: 74.125.53.147, 74.125.53.104, 74.125.53.99, 74.125.53.103
Aliases: www.google.com
> server 208.67.220.220
Default Server: resolver2.opendns.com
Address: 208.67.220.220
> www.google.com
Server: resolver2.opendns.com
Address: 208.67.220.220
Non-authoritative answer:
Name: google.navigation.opendns.com
Addresses: 208.69.36.230, 208.69.36.231
Aliases: www.google.com
-=-=-=-
Talking to my local DNS server, www.google.com resolved to IP addresses in the 74.125.0.0/16 netblock, which is assigned to Google.
Talking to resolver2.opendns.com, www.google.com resolved to 208.69.36.230 and 208.69.36.231, which have no reverse information, but are in the 208.69.32.0/21 netblock which is assigned to OpenDNS.
Re:Here We Go Again (Score:1, Informative)
It's actually something like 4.2.2.1 through 4.2.2.20 ;)
Re:Who's providing a backdoor DNS service? (Score:4, Informative)
It's a problem because DNS is used by more things than web browsers with human operators. A "this host does not exist" response at DNS-level contains information that a "404 not found" response at HTTP-level does not provide. And that's even assuming they have the common sense to make their "default search page" return an error status code; it's highly likely it'll return an OK status, since as a general rule the people who understand how the internet works at a technical level will refuse to be involved in these kind of projects, which means people who don't really understand what they're breaking are in charge of it all.
When Verisign did this a few years ago, they set up an SMTP rejection service so that mistyped domain names in email addresses would result in an immediate bounce, rather than sitting in the mail queue attempting to be delivered to an address that didn't accept mail for a few days before finally being bounced. This service didn't actually work properly, with the result that if you had more than one incorrect domain in the recipient list, you would get a bounce for only some of the wrong domains. This is because the people that implemented the service didn't think it was necessary to actually parse the SMTP commands, and instead just responded with a scripted "Hello, Ok, Reject" over and over again regardless of what the input was. Needless to say, this was very confusing for actual mail servers.
In addition, people using web browsers that are configured to do something useful in the case of a non-existent domain name get screwed, because now every domain resolves and serves up web pages. If Comcast's "not found" service is not as good as whatever their browser was previously doing, too bad.
At least Comcast provide an opt out, and most of their customers are presumably using Comcast's SMTP relay servers, which one would hope use real DNS servers, so the problems should not be as widespread as when Verisign did it to the entire .com namespace. However whenever you change how a fundamental part of anything works (and has worked for decades) there will always be fallout and unanticipated issues. This is also complicated by the fact you can't differentiate DNS lookups by web browsers from DNS lookups from anything else; with a result being that even when you do anticipate issues, you can't provide a 100% adequate solution to mitigate it.
Re:malware (Score:3, Informative)
Um, this concerns me quite a bit:
These servers proxy the real www.google.com to strip out some functionality that opendns found particularly offensive...
What? That doesn't make any sense. They only appear to proxy the first page, enough to capture what you type in the search box.
Lets examine the evidence:
$ dig @resolver1.opendns.com www.google.com A
www.google.com. 30 IN CNAME google.navigation.opendns.com.
google.navigation.opendns.com. 30 IN A 208.67.216.231
google.navigation.opendns.com. 30 IN A 208.67.216.230
$ whois 208.67.216.231
OrgName: OpenDNS, LLC
Now visit both:
http://208.67.216.231/ [208.67.216.231]
http://www.google.com/ [google.com]
Notice anything different in the footer? Say the link that says Go to Google.com [google.com]
There may be a good faith relationship between OpenDNS and Google, but it still means that OpenDNS is proxying your queries! Thus tracking your search queries.
It appears OpenDNS never responded to the many questions on their own forum [opendns.com]
DNS redirection is bad, and proxying to collect information is evil. Both methods are employed by scammers and phishers.
Re:malware (Score:3, Informative)
Here it is:
http://tech.slashdot.org/article.pl?sid=09/06/09/1731238 [slashdot.org]