DNS Hijacking by ISPs (or: How I Learned to Stop Being RFC Compliant and Love the Paycheck)

Disclaimer: I work for a cable provider, but not one of the ones listed. I speak for myself alone here on this blog, from my own view of professional sysadmin ethics, now and always.

Sherman, set the wayback machine! The time? September 15th, 2003.  In 2003, Verisign(since monikered as Verislime I might add) decided they had a cash cow they hadn’t milked yet: control of the root DNS servers. So, like any good corporation, they lovingly wrapped their money-grubbing paws around the tender teats of the Internets underbelly and tugged hard. In less farmland-erotica terms, they hijacked all unowned and/or unprovisioned domain names and tossed them to an ad page that would have made Geocities blush. The result? Internet uproar, a stock dive, and a DNS authority breakup somewhat reminiscent of Ma Bell getting sliced-n-diced for her own reckless profiteering in the 70’s. Fast forward to 2010 and we find slimy ISPs doing the same thing, seemingly undaunted by the history involved.

So, why is this bad? Well, for starters, it’s against the rules. The Internet exists by the careful and thoughtful cooperation of all parties involved, as outlined by RFCs. These RFCs specify interoperability guidelines. They are the reason you can surf a site in Japan, email your aunt in Bangladesh, and frag your pals on XBox Live. And the rules for DNS are clear: a nonexistent domain lookup must return an NXDOMAIN error. Instead, they direct your web browser to a fake ad page and your other services (FTP, IRC, SSH, etc etc) It fits the functional definition of a DNS cache poisoning attack– an attack these same ISPs would undoubtedly can you for if you were to try it. It breaks a lot of services- basically anything not HTTP. Imagine calling a wrong number and hearing “Dave’s not here right now” or “Dave doesn’t want to talk to you” instead of “Sorry, wrong number”. Or imagine 411 giving you Red Lobster instead instead of saying “We don’t have a listing for Daves Crab Hut”.

Why would they do this? One reason only: blind, pure, unmitigated lust for cash. This is completely unacceptable. They already get your money, and plenty of it. They don’t need to break the Internet to gouge their paying customers. Some of these companies provide opt-outs, but the answer is seldom easily accessible and support reps are poorly trained. If you agree this is unacceptable, complain to your provider. Loud and proud. Tell them you want your NXDOMAINs back. This has already worked- DSL Extreme in CA tried this and had to back off due to customer backlash.

Frankly, I think it’s reprehensible. If the domains hijacked belonged to someone, those people would sue… but the domains don’t even exist, so the shady bizness practice operates in a legal grey area. Well, I know something else that’s a shady business practice and isn’t illegal: Image hotlinking. This image for example:

is broken. It does attempt to hit the Cox domain helper tool(Powered and paid by Yahoo!) though, and leaves log turdlets saying “I want my NXDOMAIN back”. I took the opportunity to strip my customer identifier out of the URL(yes, it tracks you with a unique identifier!) and instead am giving them a crap one. Congratulations to you, though- your browser just tried to Stick It To The Man and you left your own little log turdlet!

If you’re interested in joining the protest-via-logfile movement, here’s the code to include on your own page. This example is for Cox (The Man I am presently most interested in Sticking It To), but you can follow this example to do your own greedy provider:

<a href="http://www.bensbrowning.com/2010/01/26/dns-hijacking-by-isps-or-how-i-learned-to-stop-being-rfc-compliant-and-love-the-paycheck/" target=_new><img src="http://finder.cox.net/main?InterceptSource=0&ClientLocation=us&ParticipantID=IWANTMYNXDOMAINBACK&FailureMode=1&SearchQuery=IWANTMYNXDOMAINBACK&FailedURI=http%3A%2F%2FIWANTMYNXDOMAINBACK%2F&AddInType=4&Version=2.1.1-1.62base&Referer=IWANTMYNXDOMAINBACK&Implementation=0" border="1" alt="" width="400" height="60" alt="I WANT MY NXDOMAIN BACK"></a>

I took the liberty of making this image a link to this blog post, so you can Stick It To The Man and Spread The Love simultaneously!

Tell a friend! Post a link and a bogus image! Let’s get this out there and let them know how we feel about it. Hopefully, they’ll unbreak this and think twice before cashing in on their paying customers again. In the meantime, try your providers alternate or opt-out DNS servers, or switch to Google Public DNS.

Leave a Reply