Comcast DNS Redirection Launched In Trial Markets

An anonymous reader writes "Comcast has finally launched its DNS Redirector service in trial markets (Arizona, Colorado, New Mexico, Oregon, Texas, Utah, and Washington state), and has submitted a working draft of the technology to the IETF for review. Comcast customers can opt-out from the service by providing their account username and cable modem MAC address. Customers in trial areas using 'old' Comcast DNS servers, or non-Comcast DNS servers, should not be affected by this. This deployment comes after many previous ISPs, like DSLExtreme, were forced to pull the plug on such efforts as a result of customer disapproval/retaliation. Some may remember when VeriSign tried this back in 2003, where it also failed."

Call it what it is

[wilsoniya]

Didn't RTFA, but lets call a spade a spade--this is typosquatting [wikipedia.org]

I just signed up the competition...

[GPLDAN]

It was *MUCH* easier for me to sign up for basic TV + internet with Comcast than what I ended up doing. I wanted to keep everything at the magic $100/mo. number, so I went with AT&T - DirecTV partnership, where they give you DSL and a dish and DVR, and put it all on one bill. My DSL is 3Mb down/768kb up, where a Speakeasy test at my neighbor showed almost 12Mb down and nearly a full meg up. When he asked "why would you choose that?" - my answer was simple: Comcast.

AT&T doesn't touch my bandwidth. They don't cap it, they don't filter it - they aren't keeping a database of my URL lookups. That's worth a great deal to me - and Comcast will never get my business. I urge everyone else to do the same, even if it is some other DSL provider or dish provider.

Re:The Sky isn't faling.

[Shakrai]

The sky isnt falling.

It is if you were foolish enough to believe that the RFC/protocol standards would be obeyed and wrote code that relies on a NXDOMAIN response to detect a bad hostname. Now you are going to an 'A' record that points to a Comcast server. This will break various applications but they don't give a damn because it's all about the ad revenue and who uses the internet for anything other than surfing anyway?

Re:malware

[xvx]

Comcast is great. So I pay them for an internet connection, the price won't go down, and they get extra advertising revenue from there users. How long will it be until they start injecting ads into websites?

Re:The Sky isn't faling.

[Maximum Prophet]

No, it will only show those pages that have paid to be listed as what you want to see. (at least after an initial trial run)

This could easily be done in the browser in a non-evil way. When you type in a name and get a non-response, similar names typed after would be recorded. Then, when you make the same spelling error, gooogle.com, it takes you to where you want to go. Since it's in the browser, people could edit and share their commonly misspelled domain names.

Problems with this

[DigitAl56K]

I speak from the perspective of being a RoadRunner user rather than a Comcast user, but RR implements a similar service. They have a link in the lower right of their results page where you can click to set your preferences and disable the "feature". Except just the other week that preference broke for me, and I was stuck with DNS hijacking. I phoned their customer service line, the person on the other end of the line had absolutely no idea what I was talking about.

DNS hijacking is a bit like Phorm without profiling really. Well, assuming there is no profiling. If there was profiling they'd make more money from the ads they'll inevitably insert there to "support" the service (Edit: oh look, they already have!). Personally I put this issue, along with Phorm in a whole category of problems related to the fact that we still don't secure and authenticate most of our activities on the internet (http, dns, yadayada). ISPs can do what they like and it's hard to stop them. Third-party DNS services seem to be the way to go recently. Of course without security/authentication your ISP can put a stop to that quite easily too.

This is all before you get in to the technical details of clients that may implement specific behavior for when bad DNS queries are expected to fail but don't.

Re:The Sky isn't faling.

[xvx]

True, for anyone tech savvy they would know better. But what about people that don't know better and that extra ad revenue. Will that be passed back to the customer? Absolutely not.

Bad assumption being made

[FranTaylor]

This is all done under the assumption that the DNS query is for an HTTP request.

What happens when other services run afoul of this setup?

For example: Is my POP client going to hand my login credentials to a Comcast server, if my email service's DNS does not resolve for some reason?

Re:Attempt?

[Timex]

I use Earthlink for an ISP. I also know how to change my "default" DNS servers, so I don't have to deal with their antics.

If people don't like what the ISP does to things like this, they should either learn how to fix the problem (because their ISPs will simply say there IS no problem because it's functioning as it was designed to do) or look for another ISP.

Why do I stay with Earthlink? Simple:

• Cable modem service is cheaper than DSL rates in my area, given identical UL/DL speeds.
• I don't have cable TV (by choice), so having cable modem service alone would be higher with Comcast, the Cable provider in my area.
• Eathlink service (in my area, at least) is "powered by Comcast". If there are broadband-related issues, Earthlink will work with Comcast's people to work out any problems.

Generally, I'm pleased with Earthlink.

Re:Call it what it is

[Zontar_Thing_From_Ve]

This reminds me of a little known incident that happened in the mid 1990s. For a while, AT&T ran a service called 1-800-OPERATOR where you could call this number and get AT&T to connect you to a long distance call. For those who don't know, we're required (at least in most of the USA if not all of it) to pick a long distance service provider. That company does not have to be who you get local telephone service from. It was possible to place long distance calls with someone other than your long distance provider by simply dialing an access number that belonged to that company and you would get billed for the call from that company. So for example you might have, say, BellSouth as your long distance provider, but you could dial an access number and place calls on Sprint if Sprint offered a better rate. No need to change providers that way. So AT&T decided that it would be smart to get in on this too and lower their rates. So the way it worked was that you called 1-800-OPERATOR and someone at AT&T would connect you to your long distance call and charge you whatever rate AT&T had for the service. AT&T promoted this service on national television commercials and spent a lot of advertising money on it. Anyway, I had a friend at the time who worked for MCI in their marketing department. She told me that MCI had reserved the telephone number that corresponded to 1-800-OPERATER. MCI spent zero dollars advertising and simply waited for people who couldn't spell to call that number and they placed the call for the person and made the money off it. She told me "You would not believe how much money we made off this". Some months after the campaign started, AT&T quietly pulled the plug on it. I always assumed that too many people couldn't spell "operator" correctly and they were tired of giving business to MCI for nothing.

it can fail badly

[RichMan]

My ISP did it for a while. The problem was that it was badly implemented and increased to load on the upstream DNS services.

So if the middle layer DNS cache was empty and I asked for
    mybank.com the bottom level DNS timed out and it failed over to the advertising page.

---
Think of searching on coke.com or any real address then the system failing and redirecting you to pepsi.com.

Think of the lawsuits. Think of the denial of service attacks possible
      a) register not_mybank.com, have spoof of mybank.com page ready to launch
      b) pay to have a fail on mybank.com route to not_mybank.com
      c) denial of service attack to root servers for mybank.com, flip in your spoof page
      d) have the ISP's magically send people to your spoof site from their saved URL's and collect passwords

Yeah this is a good idea.

Not the same at all.

[John Hasler]

> Some may remember when VeriSign tried this back in 2003, where it also failed.

Not the same at all. VeriSign tried to do it with the TLD servers, which nobody can avoid. These guys are just doing it with their own servers, which you can bypass unless they block you. Even if they do you can, at least in theory, switch ISPs. They aren't likely to bother with blocking, though, because the number of people who will bypass is tiny.

What about non-HTTP?

[slushdork]

I'm a Comcast "customer" in an affected "market" (Colorado). How will this affect DNS resolution requests for non-HTTP purposes? There is no way for the Comcast DNS servers to know what a DNS name resolution request is for: it could be for HTTP, or it could be for SSH, FTP, etc. So if I mis-type an FQDN hostname in an SSH command, will the DNS resolution request now suceed? Previously SSH would fail with a "cannot resolve hostname" error or something similar. Will it now try to connect with SSH to the Comcast "domain helper" servers? What about its effects on local DNS caching servers (e.g. dnsmasq)?

Also, this statement from Comcast's blog is blatantly false:

Despite the fact that web addresses are easier to remember than their IP address counterparts, sometimes you mistype an address. Let's say you type in http://www.comtcas.com/ [comtcas.com] (instead of http://www.comcast.com./ [www.comcast.com] Normally you then sit and wait for the Web browser to time out, then you receive an error message that the site does not exist, and then you have to retype the correct address.

Normally you would *never* "sit and wait for the Web browser to time out" (well, these *are* Comcast's DNS servers after all, so in this specific case it might be true). Normally, your browser would get a DNS resolution failure and show you a built-in error page instantaneously. Now, on the other hand, you have to wait until your browser goes off and loads a page of Comcast ads.

Domain Helper my a$$!

Re:Call it what it is

[typosquatting]

Totally agreed - it is absolutely typosquatting on a massive scale.

Many people don't realize that there's TONS of traffic going to typo domains (whether registered or not). For instance, youtuve.com [youtuve.com] (notice the v instead of the b) got 358,751 visitors over the last 31 days. It redirects to another domain for cloaking purposes, but here is the traffic report [sedo.com]. This level of traffic provides the financial incentive to implement these DNS schemes.

By the way, there's a new, free typosquatting [aliasencore.com] scan tool at aliasencore.com. It shows you all the registered .COM domain names that are one character misspellings of any Alexa top 100,000 site you enter. It also displays screenshots of those typosquatting sites. It's a nifty way to get a quick idea of the rampant growth of typosquatting. Here's an example that shows the 431 registered .COM domain names that are one character away from google.com [aliasencore.com].

Full disclosure: I am Graham MacRobie, the CEO of Alias Encore, Inc. We help companies recover cybersquatting domain names, but we focus solely on "slam-dunk" typosquatting cases (obviously only registered domain names). I can speak from personal experience in this field that the very last thing we need is wholesale typosquatting at the DNS level.

Re:The Sky isn't faling. -- Actually yes

[jackb_guppy]

This screws with "what is valid URL". Basically, now all URL are valid. So for example you want "coke.com" anyway you mistype that request: cole.com, Coce.com, koke.com, cooke.com and ... will be a valid URL, even if it does not exist.

Another way of looking at this is cybersquatting. They are taking the whole URL domain. So if you have a new URL, guess where it will not show up for a long while.

And third you can think of it as "DNS poisoning", since if you are running your own DNS, comcast will be suppling you fake information, with its own time out.

Re:Here We Go Again

[raddan]

Sprint currently does this with their AirCard service. In fact, even if you try to query a specific DNS server, it hijacks your request and redirects your packets to its own. I discovered this after wondering WTF my DNS server was not operating correctly-- it turns it that my new DNS record had not propagated to Sprint's DNS. Since I run our company's DNS, this is a major PITA to me. Oh yeah, they appear to mess with DNS record TTLs as well.

I'd gladly post examples but I'm at work and my AirCard is at home at the moment.

I would gladly switch to another ISP, but I'm locked-in to a 2-year contract. Unless I can argue that their DNS hijacking violates the TOS, but I doubt it.

Re:malware

[Anonymous Coward]

Just wanted to remind everybody that a few weeks ago, another slashdot article about comcast DNS hijacking appeared, and everybody wound up calling this specific blogger a liar.

What if before introducing mass trials, they randomly selected MAC IDs and did this in specific locations? Perhaps that blogger actually did break news.

But then, it wouldn't be the first time we trolled a legitimate story because its legitimacy was hard to validate at the time. :)

Also, this discredits Comcast's massive twitter efforts as ComcastBonnie so kindly made a slashdot account after seeing the twitter output from the article, and told us that the engineers promised no form of DNS hijacking was underway. Underway or not, it was certainly being planned, and coverups should not be appreciated.

Just my two cents

Re:Best DNS alternative w/o redirection?

[c0y]

Open DNS recursion is it's own form of evil. I'm waiting for the day that Level3 locks those down to their own networks, and hundreds of our customers call us to complain "the Internet is broken" (it seems almost everyone knows those IPs and many choose to use them, despite the fact that our own DNS service is anycast and will always remain Redirect-free because we don't treat it as a potential revenue source, but a vital part of Internet infrastructure that ought to be inviolate).

Google "DNS recursive amplification" to see what I mean about the evils of open resolvers. Hell, even closing down recursion doesn't stop the madness since root hint amplification is being abused too [secureworks.com].

We drop all IP traffic directed to our anycast IPs at our borders. You can't even ping them. query-source is not a listen-on address so it is impossible to get any type of response from our named. I predict most other ISPs being forced to do something similar. The poisoning threats are also ever on the horizon and this is another prudent safeguard.

Everything Comcast does has underlining motives

[angelbunny]

This new 'service' Comcast is testing helps comcast identify its customers better which helps with the 250GB cap. The new DNS setup locks out hacked modems (unregistered modems) without spoofing as a legit modem. It also limits the speed cap from the cmts (node) end as well as the cable modem so no more uncapped 30megabit/s down and 10megabit/s up on a single modem without cloning a developer na modem.

The real conversation should not be about openDNS but how comcast is going out of its way to make sure it can identify which users are breaking the 250GB cap which ultimately forces many of the not so legit comcast users who like their anonymity to spoof as someone else on the same network and therefor ultimately putting blame on the wrong person when comcast issues an abuse suspend. It is ironic really.

It may sound like a completely separate subject but by comcast playing with its dns forwarding has much bigger back end changes that seem not related but in fact are.