The snippet ended up being some sort of alert about upcoming maintenance, but using a malicious technique for a benign purpose is the path to the dark side. Use HTTPS!
(I use 188.8.131.52, it didn't help)
Here's the code they use: https://gist.github.com/ryankearney/4146814
And here's my (extremely short) writeup on it: http://blog.ryankearney.com/2013/01/comcast-caught-intercept...
This sounds like the same behaviour that Shawn Hogan got in trouble for with cookie stuffing http://en.wikipedia.org/wiki/Shawn_Hogan
If anyone wants to do this in the future, I'd recommend just sending affiliate abuse emails with no notice to the ISP. Also, the future person may want to revise the  script to scan in a more surreptitious manner (change the order, add delays, simulate legit web traffic, etc).
All is not lost though.
There are several ways you can protect yourself from these practices. The first thing I would do is get a router capable of using dnscrypt-proxy (http://www.opendns.com/technol.... Then you can be confident that your DNS traffic is not being modified by your ISP. It does require that you have trust in a 3rd party DNS provider like OpenDNS, but at the end of the day you have to trust someone to provide DNS lookups.
The second option is to setup DNSSEC so that you can verify where your DNS responses are coming from. While people will still be able to intercept what sites you're looking up, at least you know you're getting valid responses which is better than your situation is currently.
Third is to use both. =)
Anyhow, really awesome to see people standing against these practices. It takes users complaining to make change. The sad truth of the matter.
The same OpenDNS that hijacks NXDOMAIN responses?
I decided not to proceed with it because it seemed like a support nightmare and tampering with non-malicious subscriber traffic crosses a line.
Their marketing affiliates (such as Cash4Trafik) are always reaching out to CEO types at small ISPs and the money they bring (particularly when you are small) can be hard to pass up.
It may be the cynic in me after seeing abuses for companies like Cash4Gold, but "Cash4" anything does not instill any amount of trust in a brand, at least to me.
Knowing that you consider tampering with nonmalicious subscriber traffic to be crossing a line is something I would pay a premium for.
It did take a while to figure out what was causing the intermittent DNS failures. "My ISP is hijacking all port 53 traffic" was fairly low on my list of possibilities, I must admit.
Fortunately it's not that hard to run a local resolver that forwards queries to an external resolver on a vps on an alternate port.
I'd switch ISPs, but I live in a remote area and my only other choices would be satellite or cellular, so I'm stuck with them.
This experience has taught me simply to distrust the DNS protocol in its current form and use DNSCrypt in all situations.
: Shaw Communications, chosen by the landlord.
Signing DNS responses has much more value than encrypting them.
If you set up DNSCrypt with OpenDNS, you're not improving the situation. You're just adding an additional third party that can see what you're doing.
DNSCrypt is a perfectly fine solution for this threat model.
I posted a similar comment twice in response to different people. There is nothing wrong with this.
The rest of your comment is irrelevant as it assumes I'm replying to the article rather than to the parent comment. The parent stated that he uses "DNSCrypt in all situations." I don't want people to think this is a good idea.
It's been 7 years or so since I used Shaw.
dig @www.facebook.com news.ycombinator.com
Run your own recurive DNS server (e.g. dnscache) on 127.0.0.1.
Alternatively, query authoritative servers directly. Use a port other than 53 if you really think your ISP is trying to filter your outgoing queries; I sincerely doubt they would bother.
184.108.40.206 is an authoritative .com server. Memorize that number.
dig +norecurse -b0.0.0.0#5353 news.ycombinator.com @220.127.116.11
The names on the right of the "NS" rows are the authoritative servers for ycombinator.com. (Cloudflare. No comment.)
18.104.22.168 has the IP addresses for those. You'll find them in the "ADDITIONAL SECTION". Let's say it lists 22.214.171.124 as an IP address.
dig +norecurse -b0.0.0.0#5353 news.ycombinator.com @126.96.36.199
And you should receive the IP address for news.ycombinator.com, or at least your next clue where to look (if the DNS admin has chosen to play games with CNAME).
This method can be automated.
Your ISP is not "intercept[ing] all DNS requests". You are sending your requests to your ISP's recursive DNS servers (why?), and those servers are feeding you whatever information the ISP chooses. Go figure, they are sending you bogus info to inject advertising. Solution: Stop sending your requests to your ISP's recursive DNS servers (or any third party recursive DNS servers). Send your requests to your own recursive DNS server running on 127.0.0.1, or send nonrecursive requests to authoritative DNS servers only.
"dig @www.facebook.com news.ycombinator.com" does not use the ISP's DNS servers at all. It sends a DNS query to Facebook for Google, which should normally fail. His ISP hijacks the request and provides a response. In this scenario, the advice in your comment is pointless because they will hijack requests whether they are directly to authoritative servers or if they are to recursive servers.
""dig @www.facebook.com news.ycombinator.com" does not use the ISP's DNS servers at all"
Incorrect. The program he's using, dig, has to look up the numbers for facebook.com's authoritative servers first. And what DNS servers do you think it uses to do that? The defaults he has set: his ISP's.
"It sends a DNS query to Facebook for Google."
The "advice" I provided is not pointless. I would not provide pointless suggestions.
I am glad you asked. I am not getting what it is you
are trying to say. I also do not get why you keep
"The query for Facebooks server may use the ISPs DNS server,
but that's not the problem."
Why is that not the problem?
If you query the ISP's DNS servers, then the ISP can send you bogus answers. By giving you bogus answer they can redirect
your HTTP requests, which enables them to insert ads, among
other things. I presume you would want to avoid this. I
gave examples how you could do that. One way is to run your
own recursive DNS server on 127.0.0.1. Another is to only
query the proper authoritative servers.
Shaw uses a "DNS Redirect service". Customers can opt out.
Even if a customer does not disable this "service", I believe Shaw will not interfere with packets sent to remote DNS servers other than Shaw's.
In any event, the reason I commented on this was because (unless the customer has changed his defaults)
dig @www.facebook.com news.ycombinator.com
sends queries to Shaw's DNS servers. So stop doing this.
Unless the customer opts out, these queries are going to
If you wanted to test your theory (that Shaw is redirecting
every DNS packet sent by evey customer, even ones not using
Shaw's DNS servers), then the above invocation of dig will
not test this. It sends queries to the Shaw DNS servers.
Stop doing that.
Why does it send queries to Shaw's DNS servers? From
the dig(1) manpage:
A typical invocation of dig looks like:
dig @server name type
is the name or IP address of the name server to query. This can be
an IPv4 address in dotted-decimal notation or an IPv6 address in
colon-delimited notation. When the supplied server argument is a
hostname, dig resolves that name before querying that name server.
If no server argument is provided, dig consults /etc/resolv.conf
and queries the name servers listed there. The reply from the name
server that responds is displayed.
If for some reason you wanted to send a query for
news.ycombinator.com to the IP address for www.facebook.com
(without using any recursive DNS servers like Shaw's which
could give you bogus answers), then
dig +norecurse @188.8.131.52 news.ycombinator.com
would be the appropriate way to do it, assuming you choose
to use dig.
$ dig +short chaos txt version.bind @184.108.40.206
"PowerDNS Recursor 3.5.3 $Id$"
In effect, you are saying no customer can query any DNS
server except Shaw's.
That sounds a bit extreme.
I have more questions. Can you run some tests?
You say you use DNSCrypt. Can you try it with port 53?
Maybe something like
dnscrypt-proxy --resolver-port=53 --tcp-only
Now, without DNSCrypt, can you try using djbdns? For me at
least, it is easier to understand what the software does.
dig and the BIND libraries are far too complex for my liking.
Compile or get binaries for djbdns and use dnsq(1).
dnsq a news.ycombinator.com 220.127.116.11
Finally, compile or get binaries for drill(1) from NLnet
drill -t news.ycombinator.com @18.104.22.168
echo ". 1 in ns a.root.servers.net." > 1.tmp
echo "a.root.servers.net. 1 a 22.214.171.124" >> 1.tmp
echo > 2.tmp
drill -4ord -r1.tmp -tc2.tmp news.ycombinator.com @126.96.36.199
I know that some ISP's block all traffic sent to port 25.
But they have a compelling reason and hence a justification
for doing that. Not true with proxying traffic to port 53.
There's no harm in customers using DNS servers besides
I store all the DNS info I'll ever use in .cdb files and also in my /etc/hosts file.
I do this for speed reasons, because HOSTS or tinydns on 127.xxx.xxx.xxx is always faster than DNS. But if I had an ISP like yours, it would be a necessity for other reasons.
Shaw is actually interfering with their customers' ability to lookup IP numbers. This is the most basic of all internet services.
And no one is complaining?
Anyway, you could do bulk lookups with TCP and then store the DNS info locally.
That could reduce if not elimibate your need for DNS.
I've always thought that there should be DNS servers that can handle pipelined TCP queries, and this is one reason why.
If the idea of bulk lookups and not using DNS otherwise sounds intriguing and you want some examples of scripts to do bulk lookups, e.g. for HN sites, let me know. It sounds like you could really benefit from reducing your dependence on DNS.
1. For example, all the IP addresses for sites that appear on HN.
Super shady stuff. I never rely on any ISP provided DNS servers
Edit: I did a little research on CDN resolution back in undergrad. One of the things that was most difficult to measure, or even define, was DNS "performance."
Just because Google anycasts its DNS network does not guarantee the best performance. Running namehelp on many machines I often found that the "fastest" DNS server was not in the obvious set of DNS servers that you use.
So I guess the answer to the parent's question is: yes, possibly, but it's hard to define what "fastest" even means here. I would say that jrockway's response is even incorrect in his (implied) definite assertion that it cannot degrade your experience. If you want to know, you should measure from your endpoint. There is no other way.
It told me my the fastest option for me was Dyn's servers, but those have unacceptable to me anti-spyware "safe mode" blockouts. #2 on its list was Google DNS which I was already using.
The graphs for HTTP performance said namehelp's choices were degrading my performance on average by 11ms.
Good app to add to the toolchest though. It'll be interesting to try it out when I travel.
"We built Google Public DNS to make the web faster and to retain as little information about usage as we could, while still being able to detect and fix problems. Google Public DNS does not permanently store personally identifiable information."
As I mention in a related comment, if you're worried about the NSA knowing what websites you visit, you must not use TCP/IP. TCP/IP has no provision for obscuring the source and destination of packets; you have to add that at another layer.
(To wax philosophical, it seems that we're outgrowing the Internet. Nobody was worried about protecting their browsing history from their ISP or the government when the Internet was designed, so when we start talking about "if you use XXX service, the NSA can find out", that's true of pretty much everything except for things specially designed to hide browsing history from the NSA. Even those can be suspected to be compromised, meaning you shouldn't even be here commenting if you're truly worried about what information a DNS server might collect from you.)
If your employer gave a shit, this would read: "does not store information". But it doesn't, and they don't, and you're a cheap shill.
Google? No. Games? No. JS libraries? No.
Even if some might use CDNs, they are likely to also use geo-aware DNS servers. It cheap, don't cost anything, and can be combined with CDNs on ISP level.
This would make for a great watchdog site to provide visibility across different ISPs (and could also discourage other ISPs from pulling this crap).
It is cumbersome to implement and maintain, requiring co-operation of registrars and frequent key regeneration.
It is also very, very chatty and imposes a considerable processing burden on the first-hop DNS resolver.
We need a signed DNS solution that isn't DNSSEC.
SSL, incidentally, seems like a major help here: you could detect common DNS hijackings by accessing the site via SSL. If you access https://amazon.com/ , an ISP hijacking the site would produce either a certificate error or a connection failure (depending on whether they even attempt to listen for SSL traffic).
Perspectives is a new approach to helping computers communicate securely on the Internet. With Perspectives, public “network notary” servers regularly monitor the SSL certificates used by 100,000s+ websites to help your browser detect “man-in-the-middle” attacks without relying on certificate authorities.
This also shows a weakness in DNS. There is currently no
way to validate the DNS record you’re being served is what
the person hosting the website intended.
That being said, their network still leaves something to be desired, the IPv6 routes taken to get to the same IPv6/IPv4 host can sometimes be circuitous and I have noticed that they have a higher latency too. So there are upsides and downsides, but I hope it can only get better with time!
TLDR: DNSSEC is kinda complex and hacko, doesn't protect you as much as you might think, and introduces a whole new PKI that you should probably trust even less than the current ones. But read the links above for the real story.
I'm using DNSCrypt right now, which (correct me if I'm wrong) protects against DNS interception by my ISP, and seems like a whole lot less trouble than DNSSEC.
dnssec protects mostly from poisoning between nameservers. It does little to protect between a host and their namserver.
But in reality dnssec is not a solution, it's a problem. It will never be adopted in a meaningful way without major overhaul in spec.
Your ISP can still see the IP address of every web server that you connect to, and can still see the "Host" header that your browser sends in HTTP requests, and also in HTTPS requests (due to SNI) if you're using a reasonably modern OS/Browser combo.
All you've done is add an additional third party that can view and log what you're doing.
You forgot the part where it's protecting against trashy ISPs like the one in this article.
traceroute to news.ycombinator.com (188.8.131.52), 30 hops max, 60 byte packets
1 customer-GDL-**-***.megared.net.mx << 177.230.**.*** Dynamic IP, GDL is the city of the company
2 10.0.28.62 (10.0.28.62) 8.939 ms 8.941 ms 8.935 ms
3 10.2.28.195 (10.2.28.195) 8.912 ms 8.903 ms 8.891 ms
4 pe-cob.megared.net.mx (189.199.117.***) 8.878 ms 8.866 ms 14.201 ms << COB is the user city
5 10.3.0.29 (10.3.0.29) 23.494 ms 23.483 ms 23.408 ms
6 10.3.0.13 (10.3.0.13) 22.842 ms 19.609 ms 19.596 ms
7 10.3.0.10 (10.3.0.10) 19.560 ms 19.555 ms 19.536 ms
8 201-174-24-233.transtelco.net (184.108.40.206) 19.527 ms 20.650 ms 19.468 ms
9 201-174-254-105.transtelco.net (220.127.116.11) 34.239 ms 31.793 ms 31.268 ms
10 fe3-5.br01.lax05.pccwbtn.net (18.104.22.168) 31.792 ms 31.736 ms 33.533 ms
11 any2ix.coresite.com (22.214.171.124) 32.834 ms 33.221 ms 33.429 ms
12 ae3-50g.cr1.lax1.us.nlayer.net (126.96.36.199) 41.288 ms 41.228 ms 41.231 ms
13 ae2-50g.ar1.lax1.us.nlayer.net (188.8.131.52) 42.632 ms ae1-50g.ar1.lax1.us.nlayer.net (184.108.40.206) 35.192 ms 33.860 ms
14 as13335.xe-11-0-6.ar1.lax1.us.nlayer.net (220.127.116.11) 35.143 ms 44.714 ms 44.666 ms
15 18.104.22.168 (22.214.171.124) 37.638 ms 37.239 ms 36.997 ms
Tampering with the data, however, is not OK at all. In the U.S. I believe it may make the ISP exempt from for example the safe harbor clauses in the DMCA.
I'm surprised we haven't seen similar behaviour from Chrome extensions. I'm sure it would be caught eventually, but this isn't exactly something that people tend to look for, so it would take a while for people to catch it.
The "Window Resizer" Chrome extension got a silent update a few weeks ago. It rewrote all the links on Google search result pages to point to a proxy that added affiliate links where possible.
I did a google search and realized something wasn't right. Uninstalled all the crapware apps that wormed their way in. And then I looked at the chrome extensions and low and behold there it was, more crapware.
I removed them and they re-added themselves. I had to run spybox s&d to remove it completely.
Moral of the story: chrome extensions are in some ways worse than toolbars.
Gypsy: "An itinerant person or any person suspected of making a living from dishonest practices or theft; a member of a nomadic people, not necessarily Romani; a carny."
Even if you are fine with your ISP committing fraud, you are negatively effected by the complexity (points of failure) and latency this adds to the network.
But seriously I don't know how brew works, though looks like the code supports the option:
brew install curl --with-ares
It's fun while it lasts.
This works well for me. But I have found that this is the kind of thing where an expert can pop in and say "have you considered risk X with solution Y?" and leave me dumbfounded.
So use at your own risk.