Comcast DNS Redirection Launched In Trial Markets 362
An anonymous reader writes "Comcast has finally launched its DNS Redirector service in trial markets (Arizona, Colorado, New Mexico, Oregon, Texas, Utah, and Washington state), and has submitted a working draft of the technology to the IETF for review. Comcast customers can opt-out from the service by providing their account username and cable modem MAC address. Customers in trial areas using 'old' Comcast DNS servers, or non-Comcast DNS servers, should not be affected by this. This deployment comes after many previous ISPs, like DSLExtreme, were forced to pull the plug on such efforts as a result of customer disapproval/retaliation. Some may remember when VeriSign tried this back in 2003, where it also failed."
malware (Score:5, Insightful)
Another great press release about how it will be helpful and a "service" for users, while the main purpose is just to gather extra advertisement revenue (while breaking internet standards). I mean, this is what malware do. Oh well, atleast these non-us ISP's dont do such dirty acts to their customers here. Time to voice your opinion maybe?
Re:malware (Score:5, Funny)
while breaking internet standards
What are those? The last RFC that I read was titled "How to make the largest pile of cash while providing the least amount of service". I think it's RFC666 and is the one that most modern day ISPs seem to operate under.....
Re:malware (Score:5, Funny)
I tried to find this RFC, but when i opened the page, it redirected me to some 404 search page for my ISP.
Re: (Score:3, Funny)
Click here for fr33 v14gr4! Guaranteed member of bigging to be!
Re:comcast and netflix (Score:4, Insightful)
You are blatnatly mistaken, sir.
Because your DNS tells you what the real IP address is, and in many locations, that is not what this "redirect" DNS service will lead you to. That may be a much nearer, but more bandwidth expensive location than Comcast wants you to use, or may not go through their monitoring and proxies and load balancers and most importantly, their _streaming video choking_ services. Comcast has established their willingness to interfere with bandwidth intensive services such as Bittorrent via SYN packats and other abuses: there's no reason to expect that they will provide this service for their customer's advantage, but rather for their own to guide traffic to their desired services.
Re: (Score:3, Interesting)
Re:malware (Score:5, Insightful)
modern corporate culture demands profit growth. not just continued profit, but growth of profits. how do you expect that to happen in a saturated market?
Re: (Score:2)
You over-exploit the natural and human resources of the area where you operate, strip it bare, then move on to the next one?
The problem is that the "next area" is another planet, and we kinda lack the technology to get there for now...
Re: (Score:2)
Planet? Someone obviously hasn't seen Moon [wikipedia.org].
Re:malware (Score:5, Insightful)
Re:malware (Score:5, Informative)
Easy, through innovation and distinct added value. Shouldn't take a rocket scientist to figure it out but apparently it does. Recently, our ISP decided to offer a brand new service allowing you to double your bandwidth simply by adding another DSL line. Guess what, they are now the fastest growing ISP in Canada.
Schemes like DNS redirection are a scam and should be banned unless they contain no advertising or indirect revenue generation whatsoever.
Re:malware (Score:4, Insightful)
Re: (Score:2)
> How is this different from OpenDNS?
One actively chooses to use OpenDNS. You get your ISP's servers by default.
Re:malware (Score:5, Informative)
In what way is this relevant to OpenDNS? They actually do the same dirty trick aswell. Just because they have "open" in their name doesn't mean they're great and everyone should use them. They run their DNS servers to make profit from non-existing domains and hell, they even redirect requests to google.com to their own servers.
Thankfully there are open dns servers that dont do such either, for example university in Gothenburg, Sweden: 129.16.1.53 and 129.16.2.53 and several others. Those that have the technical knowledge can also set up their own dns recursive dns servers on their linux box and use those directly (while it fetches the results from root servers)
Re:malware (Score:4, Insightful)
Yeah, it's exactly the same thing. Except opendns is very clear about what they're doing and any computer or network using opendns must explicity configure their system to use the opends servers. Heck, I'm looking at an opendns redirect right now. It's hard to miss the big opendns logo. And the "Why am I here?" link. And the "did you mean" links. Yeah. Exactly the same "dirty trick".
Re:malware (Score:5, Informative)
Try looking at the entire service. So far as I have been able to tell, you can turn off every single one of their "features", giving you a simple, straightforward dns service.
And for those replying to you confused about the google thing - they don't
. What they do is provide a dns entry for www.google.com that points to their own servers. These servers proxy the real www.google.com to strip out some functionality that opendns found particularly offensive (I have not experienced the functionality, and can't say whether I agree or disagree with their views). However, like every other "feature" I've found at OpenDNS, you can turn this off. Yes, at first you couldn't. I stopped using OpenDNS for awhile. Now you can.
Re: (Score:3, Informative)
Um, this concerns me quite a bit:
These servers proxy the real www.google.com to strip out some functionality that opendns found particularly offensive...
What? That doesn't make any sense. They only appear to proxy the first page, enough to capture what you type in the search box.
Lets examine the evidence:
$ dig @resolver1.opendns.com www.google.com A
www.google.com. 30 IN CNAME google.navigation.opendns.com.
google.navigation.opendns.com. 30 IN A 208.67.216.231
google.navigation.opendns.com. 30 IN A 208.67.216.230
$ whois 208.67.216.231
OrgName: OpenDNS, LLC
Now visit both:
http://208.67.216. [208.67.216.231]
Re: (Score:3, Informative)
The web page looks the same. You have to look at the DNS results (or the TCP connections) to see what's going on. If you're using Windows, open a command prompt and compare the outputs of
nslookup www.google.com 4.2.2.1
and
nslookup www.google.com resolver1.opendns.com
The first parameter is the query, the second is the server. 4.2.2.2 is the anycast address of one of Level3's DNS resolvers, which implement DNS correctly. The result of the second command is a CNAME under the opendns.com domain and an IP address
Re:What would this look like? (Score:5, Informative)
If you don't believe it, try the commands for yourself:
-=-=-=-=-
overmind% nslookup
Default Server: localhost
Address: 127.0.0.1
> set querytype=a
> www.google.com
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
Name: www.l.google.com
Addresses: 74.125.53.147, 74.125.53.104, 74.125.53.99, 74.125.53.103
Aliases: www.google.com
> server 208.67.220.220
Default Server: resolver2.opendns.com
Address: 208.67.220.220
> www.google.com
Server: resolver2.opendns.com
Address: 208.67.220.220
Non-authoritative answer:
Name: google.navigation.opendns.com
Addresses: 208.69.36.230, 208.69.36.231
Aliases: www.google.com
-=-=-=-
Talking to my local DNS server, www.google.com resolved to IP addresses in the 74.125.0.0/16 netblock, which is assigned to Google.
Talking to resolver2.opendns.com, www.google.com resolved to 208.69.36.230 and 208.69.36.231, which have no reverse information, but are in the 208.69.32.0/21 netblock which is assigned to OpenDNS.
Re:malware (Score:5, Interesting)
Just wanted to remind everybody that a few weeks ago, another slashdot article about comcast DNS hijacking appeared, and everybody wound up calling this specific blogger a liar.
What if before introducing mass trials, they randomly selected MAC IDs and did this in specific locations? Perhaps that blogger actually did break news.
But then, it wouldn't be the first time we trolled a legitimate story because its legitimacy was hard to validate at the time. :)
Also, this discredits Comcast's massive twitter efforts as ComcastBonnie so kindly made a slashdot account after seeing the twitter output from the article, and told us that the engineers promised no form of DNS hijacking was underway. Underway or not, it was certainly being planned, and coverups should not be appreciated.
Just my two cents
Re: (Score:3, Informative)
Here it is:
http://tech.slashdot.org/article.pl?sid=09/06/09/1731238 [slashdot.org]
Re: (Score:3, Informative)
The real nasty issue with these services are that they are claimed to be helpful to users. The issue is that it is not helpful. Modern browsers already provide options to redirect NXDOMAIN's to a search engine, or other useful things.
For example, Google chrome provides a nice page that says "DNS error - cannot find server" in the corner, and provides a helpful search box that is pre-filled with the words found in the domain name. (I have no idea what algorithm is being used to find the word breaks, but it s
Here We Go Again (Score:5, Informative)
Some may remember when VeriSign tried this back in 2003, where it also failed.
Oh yeah, way back in the day. But let us not forget Earthlink's [slashdot.org] attempt at this [slashdot.org] or Canadian Rogers Cable [slashdot.org] or Charter [slashdot.org] or NJ Cabelvision [slashdot.org] or ... I'm sure you could find no end to this stream of providers offering their customers something the customers simply do not want.
And I'm pretty certain most of those ended or resulted in customers bitching out the provider. Yet here we go again. Why? Well, that's simple: ad revenue.
Re:Here We Go Again (Score:5, Informative)
If I'm not mistaken (although I often am, sorry in advance) Cox has been doing this for months now, and nobody posted anything about that. If I 'typo' a URL at home, when connected via my (or my neighbor's) Cox cablemodem, I get a Verisign page indicating that www.whateveriswas.com is Under Construction.
Is this not muchly the same thing??
It pisses me off, but not enough to hunt down a better alternative.
Re:Here We Go Again (Score:5, Interesting)
I'd gladly post examples but I'm at work and my AirCard is at home at the moment.
I would gladly switch to another ISP, but I'm locked-in to a 2-year contract. Unless I can argue that their DNS hijacking violates the TOS, but I doubt it.
Re:Here We Go Again (Score:5, Informative)
No, you threaten to sue them for lost company profits caused by their DNS hijacking and interfering with your work routine, and that you can 100% prove it and have documented everything relevant. That'll get you out of your contract in a hurry.
I just used that to help a motor sports company out here in CA get out of their contract with Comcast.
Re: (Score:2, Informative)
Rogers is still doing it.
Keep trying till you succeed (Score:5, Insightful)
When in doubt, keep trying. When rejected, keep trying. Enough people do this, it becomes the norm. Sad, but true.
Re: (Score:3, Informative)
I believe my Verizon DSL service does this. It can be disabled either by changing your computer DNS settings or modem settings depending on which modem you use.
Verizon Support - Opting out of DNS assistance [verizon.net]
Re:Here We Go Again (Score:5, Informative)
Re: (Score:3, Interesting)
I use Earthlink for an ISP. I also know how to change my "default" DNS servers, so I don't have to deal with their antics.
If people don't like what the ISP does to things like this, they should either learn how to fix the problem (because their ISPs will simply say there IS no problem because it's functioning as it was designed to do) or look for another ISP.
Why do I stay with Earthlink? Simple:
Who's providing a backdoor DNS service? (Score:5, Insightful)
Sounds like time to pick some semi-standard alternate port number and start setting up some alternate recursive DNS servers, something between alt.* and TOR.
Re:Who's providing a backdoor DNS service? (Score:4, Insightful)
Re:Who's providing a backdoor DNS service? (Score:5, Informative)
It's not like Comcast is going to be intercepting all DNS traffic and routing it through their spammy DNS servers.
Why not? As raddan posted above me, Sprint already did this with their aircard service. The huge majority of customers won't notice the difference since they don't know about alternative DNS servers.
Re:Who's providing a backdoor DNS service? (Score:4, Informative)
It's a problem because DNS is used by more things than web browsers with human operators. A "this host does not exist" response at DNS-level contains information that a "404 not found" response at HTTP-level does not provide. And that's even assuming they have the common sense to make their "default search page" return an error status code; it's highly likely it'll return an OK status, since as a general rule the people who understand how the internet works at a technical level will refuse to be involved in these kind of projects, which means people who don't really understand what they're breaking are in charge of it all.
When Verisign did this a few years ago, they set up an SMTP rejection service so that mistyped domain names in email addresses would result in an immediate bounce, rather than sitting in the mail queue attempting to be delivered to an address that didn't accept mail for a few days before finally being bounced. This service didn't actually work properly, with the result that if you had more than one incorrect domain in the recipient list, you would get a bounce for only some of the wrong domains. This is because the people that implemented the service didn't think it was necessary to actually parse the SMTP commands, and instead just responded with a scripted "Hello, Ok, Reject" over and over again regardless of what the input was. Needless to say, this was very confusing for actual mail servers.
In addition, people using web browsers that are configured to do something useful in the case of a non-existent domain name get screwed, because now every domain resolves and serves up web pages. If Comcast's "not found" service is not as good as whatever their browser was previously doing, too bad.
At least Comcast provide an opt out, and most of their customers are presumably using Comcast's SMTP relay servers, which one would hope use real DNS servers, so the problems should not be as widespread as when Verisign did it to the entire .com namespace. However whenever you change how a fundamental part of anything works (and has worked for decades) there will always be fallout and unanticipated issues. This is also complicated by the fact you can't differentiate DNS lookups by web browsers from DNS lookups from anything else; with a result being that even when you do anticipate issues, you can't provide a 100% adequate solution to mitigate it.
Call it what it is (Score:5, Interesting)
Re:Call it what it is (Score:5, Interesting)
Re: (Score:2)
I love the whole idea of long distance calling. Send telephone signal to the house next door..oh that's free. Send it to the house across town? Oh thats 8 cents a minute. Send it to japan, oh that's 15 cents a minute.
Send a voip signal over the internet to japan..oh that's free. See a little known fact that data is more expensive when sent by phone.
Re:Call it what it is (Score:5, Interesting)
Many people don't realize that there's TONS of traffic going to typo domains (whether registered or not). For instance, youtuve.com [youtuve.com] (notice the v instead of the b) got 358,751 visitors over the last 31 days. It redirects to another domain for cloaking purposes, but here is the traffic report [sedo.com]. This level of traffic provides the financial incentive to implement these DNS schemes.
By the way, there's a new, free typosquatting [aliasencore.com] scan tool at aliasencore.com. It shows you all the registered
Full disclosure: I am Graham MacRobie, the CEO of Alias Encore, Inc. We help companies recover cybersquatting domain names, but we focus solely on "slam-dunk" typosquatting cases (obviously only registered domain names). I can speak from personal experience in this field that the very last thing we need is wholesale typosquatting at the DNS level.
Re: (Score:3, Informative)
Yes it is. What you described is the very definition of typosquatting, if you add the point of what you see on this "GUI interface" (which is the job of your browser to create, btw.)
And if you think about them paying for servers to display this "interface", you will know that there is a reason they do this:
To make money. Obviously.
And what is the reason, that typosquatters add a "GUI interface" to unused domains?
Also to make money. Obviously.
Point proven. :)
Opt Out page is Slashdotted (Score:3, Funny)
Re: (Score:3, Funny)
I just signed up the competition... (Score:5, Interesting)
AT&T doesn't touch my bandwidth. They don't cap it, they don't filter it - they aren't keeping a database of my URL lookups. That's worth a great deal to me - and Comcast will never get my business. I urge everyone else to do the same, even if it is some other DSL provider or dish provider.
Re:I just signed up the competition... (Score:5, Informative)
AT&T ... they aren't keeping a database of my URL lookups7.
Until the NSA asks [eff.org] them to. Let's not pretend that AT&T isn't evil.
Re: (Score:2, Informative)
Re: (Score:3, Informative)
But you do know about the special rooms on the AT&T trunk lines that monitor all the traffic for the NSA, right?
Not that me using Qwest stops my traffic from being monitored too, but at least I am not directly supporting AT&T (or Verizon) and their habit of handing over whatever information is asked without requiring a search warrant to back it up.
Qwest refused to hand over data without a search warrant.
A LOT of ISPs already do this... (Score:5, Informative)
I don't want to name names, but Netalyzr [berkeley.edu] showed that several major ISPs already do this, and allows you to check for yourself what the behavior is on your network.
Comcast is following the lead of other major ISPs which have been doing this for some time now.
Problems with this (Score:4, Interesting)
I speak from the perspective of being a RoadRunner user rather than a Comcast user, but RR implements a similar service. They have a link in the lower right of their results page where you can click to set your preferences and disable the "feature". Except just the other week that preference broke for me, and I was stuck with DNS hijacking. I phoned their customer service line, the person on the other end of the line had absolutely no idea what I was talking about.
DNS hijacking is a bit like Phorm without profiling really. Well, assuming there is no profiling. If there was profiling they'd make more money from the ads they'll inevitably insert there to "support" the service (Edit: oh look, they already have!). Personally I put this issue, along with Phorm in a whole category of problems related to the fact that we still don't secure and authenticate most of our activities on the internet (http, dns, yadayada). ISPs can do what they like and it's hard to stop them. Third-party DNS services seem to be the way to go recently. Of course without security/authentication your ISP can put a stop to that quite easily too.
This is all before you get in to the technical details of clients that may implement specific behavior for when bad DNS queries are expected to fail but don't.
Lots have failed, but some have succeeded (Score:5, Informative)
Re: (Score:2)
I think Windstream does since I've noticed it at friends houses. But at home I run a caching-only DNS server, so I never notice it...
Re: (Score:2)
Re: (Score:2)
Cox does it too, iirc. I've seen it @ places where I've help setup computers. I had been running my own dnscacher that directly hit the root servers, but when I learned about Cox doing it, I discovered they have a pair of DNS servers that *don't* exhibit this behavior and changed my resolver to hit those (to be net friendly). I'd switch it back to the roots in a heartbeat if they started being stupid about it again.
They shouldn't control it. (Score:2, Insightful)
Given the shenanigans the ISPs and governmental authorities have been up to the last few years, I say we need to rethink TCP. You see, we've been assuming all along that ISPs are not malicious. We need to start assuming they are malicious. The new TCP protocol should only assume that all socket level data is sensitive and therefore must be encrypted as to both its contents AND its destination. This implies traffic shaping, onion routing and a public key based DNS
ISPs don't control DNS. (Score:2)
> Why exactly does the ISP control DNS?
They don't.
Bad assumption being made (Score:5, Interesting)
This is all done under the assumption that the DNS query is for an HTTP request.
What happens when other services run afoul of this setup?
For example: Is my POP client going to hand my login credentials to a Comcast server, if my email service's DNS does not resolve for some reason?
Re: (Score:3, Funny)
Forgive me for my lack of knowledge in this area, but isn't there some sort of encryption involved with that? Wouldn't you verify that the server you've reached is actually the server you wanted before you hand over credientials?
Re: (Score:3, Informative)
That depends. If you have server authentication, it won't. More importantly, if the Comcast server doesn't listen on any port but 80, it certainly won't.
If you were relying on correct DNS responses to provide security (such as preventing your login credentials from being given away), you were doing it wrong in the first place.
Cablevision (Score:2)
Cablevision already does this in the Northeast US. :(
retaliation? (Score:2)
Verisign DNS hijacking (Score:2)
These never [krytosvirus.com] get old [krytosvirus.com]
Opt Out if you're not cool with this (Score:2, Informative)
There is a bright spot in this.... (Score:2)
DNS redirection allows an ISP to quickly block infected PCs from participating in distributed attacks that rely on DNS.
I tried to circumvent this with OpenDNS... (Score:2)
But then I noticed that OpenDNS also does DNS redirection!
The scary thing was, that of course this even works when I mistype Intranet addresses. (Should have been obvious to me, but I did not think about having switched to OpenDNS when this happened, and got very scared about the possibility of a MITM attack.)
Headline is wrong (Score:2)
The headline should read:
"Comcast Colludes With Yahoo! to Redirect Miss-typed URL Traffic for their own Profit"
it can fail badly (Score:5, Interesting)
My ISP did it for a while. The problem was that it was badly implemented and increased to load on the upstream DNS services.
So if the middle layer DNS cache was empty and I asked for
mybank.com the bottom level DNS timed out and it failed over to the advertising page.
---
Think of searching on coke.com or any real address then the system failing and redirecting you to pepsi.com.
Think of the lawsuits. Think of the denial of service attacks possible
a) register not_mybank.com, have spoof of mybank.com page ready to launch
b) pay to have a fail on mybank.com route to not_mybank.com
c) denial of service attack to root servers for mybank.com, flip in your spoof page
d) have the ISP's magically send people to your spoof site from their saved URL's and collect passwords
Yeah this is a good idea.
I'm done. I'll be switching as soon as possible. (Score:2)
It's not that this is a really big deal for me. It's just the straw that broke the camel's back. I've had all sorts of trouble with Comcast of late, and this just pushed me over the edge. I've been very, very close ever since they started blocking outbound SMTP connections (yeah, I can and do use the SMTP submission port for sending e-mail, but how am I supposed to monitor my remote SMTP servers from home?).
Re:I'm done. I'll be switching as soon as possible (Score:5, Insightful)
Me too.
Oh wait, Comcast doesn't have any competition for high-speed where I live.
Go go gadget free market!
Not the same at all. (Score:5, Interesting)
> Some may remember when VeriSign tried this back in 2003, where it also failed.
Not the same at all. VeriSign tried to do it with the TLD servers, which nobody can avoid. These guys are just doing it with their own servers, which you can bypass unless they block you. Even if they do you can, at least in theory, switch ISPs. They aren't likely to bother with blocking, though, because the number of people who will bypass is tiny.
What about non-HTTP? (Score:5, Interesting)
Also, this statement from Comcast's blog is blatantly false:
Normally you would *never* "sit and wait for the Web browser to time out" (well, these *are* Comcast's DNS servers after all, so in this specific case it might be true). Normally, your browser would get a DNS resolution failure and show you a built-in error page instantaneously. Now, on the other hand, you have to wait until your browser goes off and loads a page of Comcast ads.
Domain Helper my a$$!
Oblig. (Score:4, Funny)
Help friends opt out (Score:2)
Seems like a simple enough solution, geeks like us should help friends, neighbors, relatives, and anyone else we encounter to opt-out of this nonsense. If enough people opt-out of this then DNS redirection could theoretically become unprofitable enough that they would ditch it!
Grass-roots spreading the word has worked well for Firefox, so why not this?
I would find this acceptable if ... (Score:3, Insightful)
... in addition to their modem MAC based opt-out mechanism, they:
Anyone that knows what they are doing, or finds out via information from some source (the provider not being obligated to supply this information), should be able to use the internet exactly as it was originally intended.
Re:The Sky isn't faling. (Score:5, Interesting)
The sky isnt falling.
It is if you were foolish enough to believe that the RFC/protocol standards would be obeyed and wrote code that relies on a NXDOMAIN response to detect a bad hostname. Now you are going to an 'A' record that points to a Comcast server. This will break various applications but they don't give a damn because it's all about the ad revenue and who uses the internet for anything other than surfing anyway?
Re:The Sky isn't faling. (Score:5, Interesting)
This could easily be done in the browser in a non-evil way. When you type in a name and get a non-response, similar names typed after would be recorded. Then, when you make the same spelling error, gooogle.com, it takes you to where you want to go. Since it's in the browser, people could edit and share their commonly misspelled domain names.
Re: (Score:2)
Re: (Score:2, Interesting)
Re: (Score:2)
I'm betting you don't.
Re:The Sky isn't faling. (Score:5, Insightful)
Providing a nice GUI on a DNS lookup fail is the job of the web browser not the DNS server. DNS is infrastructure not user interface.
Re:The Sky isn't faling. (Score:5, Informative)
It doesn't redirect you to a third-party site owned by the NSA; it redirects you to a third-party site, full stop. This not only breaks a whole host of applications relying on DNS to inform them that a domain name doesn't exist, but it is in violation of the standards that hold the Internet together.
Re:The Sky isn't faling. (Score:5, Insightful)
If a domain name does not exist, I want my systems to receive an error telling them so, not be redirected to a system that they were not expecting to be directed to.
Re:The Sky isn't faling. -- Actually yes (Score:5, Interesting)
This screws with "what is valid URL". Basically, now all URL are valid. So for example you want "coke.com" anyway you mistype that request: cole.com, Coce.com, koke.com, cooke.com and ... will be a valid URL, even if it does not exist.
Another way of looking at this is cybersquatting. They are taking the whole URL domain. So if you have a new URL, guess where it will not show up for a long while.
And third you can think of it as "DNS poisoning", since if you are running your own DNS, comcast will be suppling you fake information, with its own time out.
Re:The Sky isn't faling. (Score:5, Insightful)
If you think it's OK to hijack DNS think about what happens if you mistype an email address, or what happens when your configured NTP server goes offline.
Re:The Sky isn't falling. (Score:2)
Getting a valid IP on an invalid name while trying to set up an FTP, SMTP, POP, etc connection (to name a few) could break the app (which assumes the internet standards are obeyed).
Never assume; when you do you make an ass of Uma Thurman.
Re:So should... (Score:5, Informative)
OpenDNS does exactly the same. (unless you register account and change it, but thats the case with this comcast thingie aswell)
There is a significant difference: (Score:2)
OpenDNS is "free-as-in-ad-driven". You don't have to pay for it, but they need to make their money somehow, so they have their own special page when you type an invalid domain in the location bar, with text ads on. Comcast, on the other hand, which the end user is already paying for, is trying to inflict the greedy bastard business model they use for TV (hooray for paying for content that's 1/3 ads!) on their ISP customers.
Re:So should... (Score:5, Informative)
OpenDNS does the exact same thing. To avoid DNS highjacking if you use OpenDNS, you have to have an account with them, change your preferences and always be identifiable to OpenDNS so that it can apply your preferences. It's easier to opt out at Comcast than to opt out at OpenDNS. Besides, OpenDNS also redirects www.google.com to OpenDNS servers, not just nonexistent domains.
Re:So should... (Score:5, Informative)
Re:So should... (Score:5, Insightful)
No.
Knock this shit off and mods, wise the fuck up. Just because it has "open" in the name doesn't make it suddenly good and benevolent, They do the exact same fucking thing.
Anyone who's been on slashdot for more than a week or two probably has seen dozens of comments suggesting OpenDNS in cases like this, always modded up. Every single time people post corrections pointing out that they do the same thing. Does anyone ever listen?
Wise the fuck up
Re: (Score:2)
Don't worry. They've modded me into oblivion it looks like. I wish it would have remained at 1 so it'd warn other folks.
As you and many others have pointed out, they're just cashing in on the "open" washing while "offering services" to "guide" a user straight into an ad-ridden ass pounding. Thanks again for setting me right.
Re:So should... (Score:5, Informative)
Why do these OpenDNS posts keep getting modded up? OpenDNS utilizes the very practices this article bemoans! If you query a domain that does not exist, your browser is redirected to OpenDNS's ad-laden spam site.
Despite their claims to the contrary, OpenDNS's servers are likely farther away from you than your local ISP's. They also keep permanent logs of all queries, which could be subpoenaed by a government entity. Their joke of a privacy policy allows them to sell your logs to "Affiliated Businesses", which pretty much means anybody. Not that it really matters - they could amend their privacy policy tomorrow morning and be selling your info by the afternoon.
I think many people read the "Open" part of the OpenDNS name and turn their brains off.
Re: (Score:3, Informative)
When opendns started it was precisely that - an open DNS system which even had its own set of free TLDs to play with.
Then they smelled money. And the rest is history.
Use the anycast DNS at 4.2.2.1, 4.2.2.2, etc. Run by Level3 who have plenty of money anyway and don't need to nickel and dime DNS for it.
Re:So should... (Score:4, Funny)
Are you kidding, or do you work for OpenDNS?
Because I switched to OpenDNS because of people (you?) mentioning it here on Slashdot.
And then I noticed, that OpenDNS also does DNS redirection!
Re: (Score:2)
Right kind of moderation going on here. I posted a suggestion from someone a while back and get lots of good(albeit slightly over-critical) feedback to correct me and warn other users. Thanks ./ community.
While I wouldn't be opposed to a +1 insightful, a +4 informative on my post is wholly undeserved.
Because... (Score:2)
with open DNS you get the same thing, unless you open an account with them, in which case you also share your browsing preferences with them.
Another, important reason is that at least in my case the open DNS query response times are 3 times slower than with my ISP.
And my ISP (Rogers) does have an alternate DNS server (for those who care enough to change it) that does not poison DNS results.
Re:So should... (Score:4, Informative)
Re:So should... (Score:5, Informative)
Except for the bit where Comcast users not using Comcast DNS servers are unaffected, as per TFS.
Unless you're complaining that they could, in theory, redirect port 53. Frankly, anyone remotely familiar with how the Internet works should know that your ISP *could* completely and arbitrarily control any nonauthenticated protocol, including DNS.
Re: (Score:3, Insightful)
You can opt out, you know. It says so right in the summary.
Also please don't use "evil" to describe things that are merely inconvenient. It greatly diminishes the horror and suffering people have gone through at the hands of real, actual evil.
Re: (Score:2)
Re:Best DNS alternative w/o redirection? (Score:5, Informative)
I use Level3's anycast dns resolvers. They are fast and work great. Pair them with a local dns cache and you'll be golden.
4.2.2.1, 4.2.2.2, 4.2.2.3, 4.2.2.4, 4.2.2.5, 4.2.2.6
In case you don't know about anycast.
http://en.wikipedia.org/wiki/Anycast [wikipedia.org]
Re: (Score:2)
Bummer on the trees. Comcast may have kept me as a cable tv subscriber if only they could have given me just one working DVR in the 5 I went through. Fuck comcast. I'm now a happy directv subscriber, and if the opportunity ever presents itself, my internet access will be moving ASAP.