
Small ISPs use "malicious" DNS servers to watch Web searches, earn cash - canistr
http://arstechnica.com/tech-policy/news/2011/08/small-isps-turn-to-malicious-dns-servers-to-make-extra-cash.ars
======
JoachimSchipper
Tellingly, the article almost completely ignores the apparently sizable number
of US ISPs that return something very different from NXDOMAIN ("not found")
when you ask for a nonexistent domain name.

A working DNS server is a good thing.

~~~
AgentConundrum
This is why I use Google's DNS servers (8.8.8.8, 8.8.4.4).

I was surprised by this rather recently, when my girlfriend and I moved in
with her brother to conserve finances (both his and ours, since their other
brother had just moved out leaving him with larger-than-payable bills). I
mistyped a URL and it came back with an ISP-provided search page, which
infuriated/surprised me. As it turns out, I only had the wireless connection
set to use GDNS, but I was temporarily using a wired connection until I could
buy a new wireless router (the previous one was a modem/router combo from the
ISP, despite the fact that when I returned it the woman at the desk
"corrected" me when I told her I was returning the router, saying that they
don't deal with routers. I just smiled, did my business, and left.)

~~~
desigooner
Comcast and Verizon both do this. Verizon's been pointing to YellowPages
website with a frame above notifying the user that the domain does not exist.

~~~
ejdyksen
Comcast hosts anycast DNS servers that opt out of the "domain helper" feature
(and support DNSSEC):

75.75.75.75 and 75.75.76.76

<http://dns.comcast.net/dns-ip-addresses2.php>

------
sapphirecat
My ISP (Windstream DSL) started redirecting nxdomain responses years ago. I
noticed when I mistyped a host alias I had set up for ssh and got back
`connection refused` when it was not even a fully-qualified name.

Thankfully VeriSign did this to .com once with their SiteFinder service, so
FOSS DNS servers generally have good support for assigning a particular IP
address as "this is really NXDOMAIN". (Nowadays, I'm running Unbound locally
anyway for DNSSEC.)

EDIT: the opening paragraph used to read "My ISP started doing this," but a
closer look at TFA indicates this issue is about intercepting DNS queries to
_existing, legitimate_ search providers in order to substitute paid results.

------
gojomo
If disclosed, and the customer also receives an indirect benefit (cheaper
service), is this any worse than similar tracking via the Google Toolbar, and
all the various page-insert sensors (Analytics, AdSense, +1, etc) reporting a
significant and growing amount of all web activity back to the MotherPlex?

(That is, setting aside the obviously evil practice also alleged in this
article of sometimes using these redirects for click fraud.)

~~~
ender7
This assumes that the customer has the option of choosing another service if
they don't want to "opt-in" to such bullshit.

Sadly, in many places in the US, especially those places served by the ISPs
mentioned, that is not the case. In the absence of reasonable choice (roughly
the same speed of service) this becomes something that should be regulated.

Again, these kind of things would all go away if we had public last-mile fiber
that ISPs could lease. Regulation is a poor substitute for true competition.

~~~
gojomo
The customer usually has the choice of self-help against such bullshit, even
without changing ISPs, via using alternate DNS servers, a VPN, or other
techniques. Education remains a better solution than regulation.

------
yeahsure
In SouthAmerica the ISP "Speedy" (Owned by Telefonica) also does this, here's
the domain they use for this: <http://www.ayudaenlabusqueda.com.ar>

------
elliottcarlson
Time Warner does this too - but offer a control panel allowing you to disable
this. Would be great if the control panel actually worked or remembered that
setting since I see it again every few months.

~~~
Twisol
Looks like they redirect to _dnssearch2.rr.com_.

------
code_duck
My rather large ISP, Charter, has been redirecting not found domains requested
from a browser to a query on 'searchassist.teoma.com' for a few years. Very
annoying; I block it in my hosts file.

~~~
b_disraeli
Why not just change your DNS servers to 8.8.8.8/8.8.4.4? Or one of the the
other public DNS providers?

~~~
code_duck
Last I checked, Charter blocks outgoing DNS to servers other than theirs.
Based on searching around, it sounds like they go back on forth on that
policy.

~~~
1amzave
Perhaps it varies by area? I'm in Wisconsin and I've been using 8.8.8.8 and/or
8.8.4.4 since I started getting service from Charter about a year ago, and
I've never had a problem with it. Of course, doing that means I never noticed
that they hijack NXDOMAINs, which definitely drops them a few notches in my
eyes. I've had other ISPs do that to me; it's kind of infuriating.

~~~
code_duck
Thanks, I'll check it out again. It sounds like it does vary by area... and I
tried was 2-3 years ago. I'm in the UP.

------
sp332
So, instead of watching the terms you type into Bing, it watches the terms you
type into the address bar. So if you put "apple" instead of "apple.com", the
DNS server will redirect you instead of sending NXDOMAIN and letting your
browser handle things (either failing or searching with your configured
Google/Bing/etc engine).

When I first saw the headline, I thought the DNS server was reading my URLs,
which would have been really interesting because it's impossible :)

~~~
Twisol
Actually, when your browser sends a DNS request to your ISP's DNS server, it
seems to redirect you to a proprietary search page providing suggestions for
an invalid request. The whole URL isn't involved, but the domain part is.

------
rplnt
There is also OpenDNS which does basically the same.

~~~
ams6110
OpenDNS returns ad pages for not-found domains, if you are using their free
service. Or is that what you mean by "the same?"

~~~
tedunangst
Yes, that is exactly what the article is trying to describe.

------
untog
It's funny- my initial response was going to be "use the Google DNS servers!
8.8.8.8, 8.8.4.4!", but I suppose they could be logging all sorts of
information about me, too...

~~~
tshtf
The privacy policy for Google's public DNS servers is quite reasonable,
actually:

<http://code.google.com/speed/public-dns/privacy.html>

~~~
mtogo
In other words, they store every request you send, but it's okay because they
only store geolocation data to identify you with.

~~~
superuser2
That geolocation data isn't any more granular than city/region, which they
have a valid reason to want to know about (network latencies vary with
significant physical distance). We're not talking about your street address
here.

------
ZoFreX
This was a really sloppy write-up, they didn't make it clear what is going on
at all. This is redirection if you type in a domain name that doesn't exist,
which isn't a new trick.

My ISP (Virgin Media) does this, but you can opt out. In fact, their opt-out
page gives a much better explanation than the article:
[http://www.virginmedia.com/myvirginmedia/advancederror/feedb...](http://www.virginmedia.com/myvirginmedia/advancederror/feedback.php)

------
Andrew_Quentin
Interesting. There were two links posted before arstechnica, both dealing with
the same issue, one from eff I think, and neither made it to the front page.

Vote Rigging or just brand brainwashing or maybe groupthink?

~~~
paxswill
The EFF link is at #27 on the fornt page.

------
known
<http://wiki.opennicproject.org/ClosestT2Servers> won't log your requests

