Comcast DNS Redirection Launched In Trial Markets 362
An anonymous reader writes "Comcast has finally launched its DNS Redirector service in trial markets (Arizona, Colorado, New Mexico, Oregon, Texas, Utah, and Washington state), and has submitted a working draft of the technology to the IETF for review. Comcast customers can opt-out from the service by providing their account username and cable modem MAC address. Customers in trial areas using 'old' Comcast DNS servers, or non-Comcast DNS servers, should not be affected by this. This deployment comes after many previous ISPs, like DSLExtreme, were forced to pull the plug on such efforts as a result of customer disapproval/retaliation. Some may remember when VeriSign tried this back in 2003, where it also failed."
Call it what it is (Score:5, Interesting)
I just signed up the competition... (Score:5, Interesting)
AT&T doesn't touch my bandwidth. They don't cap it, they don't filter it - they aren't keeping a database of my URL lookups. That's worth a great deal to me - and Comcast will never get my business. I urge everyone else to do the same, even if it is some other DSL provider or dish provider.
Re:The Sky isn't faling. (Score:5, Interesting)
The sky isnt falling.
It is if you were foolish enough to believe that the RFC/protocol standards would be obeyed and wrote code that relies on a NXDOMAIN response to detect a bad hostname. Now you are going to an 'A' record that points to a Comcast server. This will break various applications but they don't give a damn because it's all about the ad revenue and who uses the internet for anything other than surfing anyway?
Re:malware (Score:3, Interesting)
Re:The Sky isn't faling. (Score:5, Interesting)
This could easily be done in the browser in a non-evil way. When you type in a name and get a non-response, similar names typed after would be recorded. Then, when you make the same spelling error, gooogle.com, it takes you to where you want to go. Since it's in the browser, people could edit and share their commonly misspelled domain names.
Problems with this (Score:4, Interesting)
I speak from the perspective of being a RoadRunner user rather than a Comcast user, but RR implements a similar service. They have a link in the lower right of their results page where you can click to set your preferences and disable the "feature". Except just the other week that preference broke for me, and I was stuck with DNS hijacking. I phoned their customer service line, the person on the other end of the line had absolutely no idea what I was talking about.
DNS hijacking is a bit like Phorm without profiling really. Well, assuming there is no profiling. If there was profiling they'd make more money from the ads they'll inevitably insert there to "support" the service (Edit: oh look, they already have!). Personally I put this issue, along with Phorm in a whole category of problems related to the fact that we still don't secure and authenticate most of our activities on the internet (http, dns, yadayada). ISPs can do what they like and it's hard to stop them. Third-party DNS services seem to be the way to go recently. Of course without security/authentication your ISP can put a stop to that quite easily too.
This is all before you get in to the technical details of clients that may implement specific behavior for when bad DNS queries are expected to fail but don't.
Re:The Sky isn't faling. (Score:2, Interesting)
Bad assumption being made (Score:5, Interesting)
This is all done under the assumption that the DNS query is for an HTTP request.
What happens when other services run afoul of this setup?
For example: Is my POP client going to hand my login credentials to a Comcast server, if my email service's DNS does not resolve for some reason?
Re:Attempt? (Score:3, Interesting)
I use Earthlink for an ISP. I also know how to change my "default" DNS servers, so I don't have to deal with their antics.
If people don't like what the ISP does to things like this, they should either learn how to fix the problem (because their ISPs will simply say there IS no problem because it's functioning as it was designed to do) or look for another ISP.
Why do I stay with Earthlink? Simple:
Generally, I'm pleased with Earthlink.
Re:Call it what it is (Score:5, Interesting)
it can fail badly (Score:5, Interesting)
My ISP did it for a while. The problem was that it was badly implemented and increased to load on the upstream DNS services.
So if the middle layer DNS cache was empty and I asked for
mybank.com the bottom level DNS timed out and it failed over to the advertising page.
---
Think of searching on coke.com or any real address then the system failing and redirecting you to pepsi.com.
Think of the lawsuits. Think of the denial of service attacks possible
a) register not_mybank.com, have spoof of mybank.com page ready to launch
b) pay to have a fail on mybank.com route to not_mybank.com
c) denial of service attack to root servers for mybank.com, flip in your spoof page
d) have the ISP's magically send people to your spoof site from their saved URL's and collect passwords
Yeah this is a good idea.
Not the same at all. (Score:5, Interesting)
> Some may remember when VeriSign tried this back in 2003, where it also failed.
Not the same at all. VeriSign tried to do it with the TLD servers, which nobody can avoid. These guys are just doing it with their own servers, which you can bypass unless they block you. Even if they do you can, at least in theory, switch ISPs. They aren't likely to bother with blocking, though, because the number of people who will bypass is tiny.
What about non-HTTP? (Score:5, Interesting)
Also, this statement from Comcast's blog is blatantly false:
Normally you would *never* "sit and wait for the Web browser to time out" (well, these *are* Comcast's DNS servers after all, so in this specific case it might be true). Normally, your browser would get a DNS resolution failure and show you a built-in error page instantaneously. Now, on the other hand, you have to wait until your browser goes off and loads a page of Comcast ads.
Domain Helper my a$$!
Re:Call it what it is (Score:5, Interesting)
Many people don't realize that there's TONS of traffic going to typo domains (whether registered or not). For instance, youtuve.com [youtuve.com] (notice the v instead of the b) got 358,751 visitors over the last 31 days. It redirects to another domain for cloaking purposes, but here is the traffic report [sedo.com]. This level of traffic provides the financial incentive to implement these DNS schemes.
By the way, there's a new, free typosquatting [aliasencore.com] scan tool at aliasencore.com. It shows you all the registered
Full disclosure: I am Graham MacRobie, the CEO of Alias Encore, Inc. We help companies recover cybersquatting domain names, but we focus solely on "slam-dunk" typosquatting cases (obviously only registered domain names). I can speak from personal experience in this field that the very last thing we need is wholesale typosquatting at the DNS level.
Re:The Sky isn't faling. -- Actually yes (Score:5, Interesting)
This screws with "what is valid URL". Basically, now all URL are valid. So for example you want "coke.com" anyway you mistype that request: cole.com, Coce.com, koke.com, cooke.com and ... will be a valid URL, even if it does not exist.
Another way of looking at this is cybersquatting. They are taking the whole URL domain. So if you have a new URL, guess where it will not show up for a long while.
And third you can think of it as "DNS poisoning", since if you are running your own DNS, comcast will be suppling you fake information, with its own time out.
Re:Here We Go Again (Score:5, Interesting)
I'd gladly post examples but I'm at work and my AirCard is at home at the moment.
I would gladly switch to another ISP, but I'm locked-in to a 2-year contract. Unless I can argue that their DNS hijacking violates the TOS, but I doubt it.
Re:malware (Score:5, Interesting)
Just wanted to remind everybody that a few weeks ago, another slashdot article about comcast DNS hijacking appeared, and everybody wound up calling this specific blogger a liar.
What if before introducing mass trials, they randomly selected MAC IDs and did this in specific locations? Perhaps that blogger actually did break news.
But then, it wouldn't be the first time we trolled a legitimate story because its legitimacy was hard to validate at the time. :)
Also, this discredits Comcast's massive twitter efforts as ComcastBonnie so kindly made a slashdot account after seeing the twitter output from the article, and told us that the engineers promised no form of DNS hijacking was underway. Underway or not, it was certainly being planned, and coverups should not be appreciated.
Just my two cents
Re:Best DNS alternative w/o redirection? (Score:2, Interesting)
Google "DNS recursive amplification" to see what I mean about the evils of open resolvers. Hell, even closing down recursion doesn't stop the madness since root hint amplification is being abused too [secureworks.com].
We drop all IP traffic directed to our anycast IPs at our borders. You can't even ping them. query-source is not a listen-on address so it is impossible to get any type of response from our named. I predict most other ISPs being forced to do something similar. The poisoning threats are also ever on the horizon and this is another prudent safeguard.
Everything Comcast does has underlining motives (Score:2, Interesting)
This new 'service' Comcast is testing helps comcast identify its customers better which helps with the 250GB cap. The new DNS setup locks out hacked modems (unregistered modems) without spoofing as a legit modem. It also limits the speed cap from the cmts (node) end as well as the cable modem so no more uncapped 30megabit/s down and 10megabit/s up on a single modem without cloning a developer na modem.
The real conversation should not be about openDNS but how comcast is going out of its way to make sure it can identify which users are breaking the 250GB cap which ultimately forces many of the not so legit comcast users who like their anonymity to spoof as someone else on the same network and therefor ultimately putting blame on the wrong person when comcast issues an abuse suspend. It is ironic really.
It may sound like a completely separate subject but by comcast playing with its dns forwarding has much bigger back end changes that seem not related but in fact are.