RoadRunner Intercepting Domain Typos

shaunco writes "Sometime around midnight on February 26th (at least for the SoCal users), TimeWarner's RoadRunner service started intercepting failed DNS requests, redirecting them to RoadRunner's own search and advertising platform. To see if this has been enabled in your area, try visiting {some random string}.com in your Web browser. This feature subverts user preferences set within browsers, which allow the user to select which search engine receives their typos and invalid domains. RoadRunner users can disable this function — or they can just use OpenDNS. Here is an example RoadRunner results page.

OpenDNS Guide

or they can just use OpenDNS

But OpenDNS does the exact same thing [opendns.com]!

Re:OpenDNS Guide

This has actually been going on for a few weeks now for New York area customers. However, there is an opt-out option that comes up on the page that comes up. I'm not quite sure how it tracks those opt-outs (by ip address perhaps?), as I didn't delve into it too deeply.

Re:OpenDNS Guide

I'm not quite sure how it tracks those opt-outs (by ip address perhaps?), as I didn't delve into it too deeply.

They're tracking by the cable modem's MAC address. There's a page explaining this (and how it's insecure) here:

http://rgov.org/road-runners-dns-wildcard [rgov.org]

Re:OpenDNS Guide

Really? MSN Search is considered a friendly error message?

Re:OpenDNS Guide

Yes, but the difference is that YOU get control of how these are handled, not your ISP.

Actually, OpenDNS is even worse!

OpenDNS is actually substantially worse. At least Roadrunner is obvious about the fact that you're visiting their servers. With OpenDNS, it seemed they were actually proxying requests for well-known search engines that were *not* typo'd in order to grab stats. Try setting your DNS resolvers to OpenDNS, then dig (or 'nslookup' for you Windows folks) www.google.com. Do a whois on the resulting IPs, and guess who they're registered to... Google? Nope, OpenDNS! At least, last I checked -- that was also the last time I used OpenDNS.

Re:Actually, OpenDNS is even worse!

OpenDNS has a blog post explaining why they're doing that: http://blog.opendns.com/2007/05/22/google-turns-the-page [opendns.com]

Re:Actually, OpenDNS is even worse!

The plot thickens. Have a look at this OpenDNS blog entry [opendns.com] which explains the rationale for the Google interception. At least it's a plausible justification, though I don't have a Dell and I'd prefer my Googling to go straight to the source without intermediaries, so I'm keeping OpenDNS off.

Re:OpenDNS Guide

FAIL for failing to understand how DNS works... Your statement is only true if you are running a caching server. No reason why bind can't do its own lookup. You lose out on the cache benefits of a larger DNS server, but don't have to rely on anything other than the roots.

Re:OpenDNS Guide

I just programmed my cable modem to use 4.2.2.1-3 for DNS. Problem solved. At work, under a RoadRunner business connection, we've long run our own DNS because the RoadRunner DNS servers have always been just shit.

Suspiciously, however, I didn't turn off the "service". Someone at the other end did it. I refused to give them my phone number, so either they used caller ID to pull up my account without my consent, or they blacked out my cable modem MAC when I started portscanning the server and looking up a hundred variations of www.stopfuckingwithmydnsroadrunnersucksdogballs.com.

All around evil. Cable companies are doing this to boil the Net Neutrality frog, have no doubt about it.

Good thing I'm with Comcast not TW

They just throttle my connection until it fails.

What's next?

http://ww23.rr.com/index.php?origURL=http://www.google.com [rr.com]

Re:What's next?

Coooool... you can make them say anything! [rr.com]

Squatting www.jkshdfkljh23sadf.com

Seems like I should be registering this and pointing it to my porn/phishing site right now.

My ISP does this too

My local ISP (Insight in Evansville, Indiana) does the same thing. Even worse, when you 'opt-out' of their URL redirection, they instead redirect you to a fake IE error page. Slimy.

Interception, first down!

Roadrunner's not-found page seems roughly as useful as the default MSN Search page that IE puts up automatically if a page can't be found. Which is to say, not very.

But it's still nowhere near as worthwhile as the "what you want, when you want it" domain squatter pages where most of the links are porn and ads. Catch up, Roadrunner!!

HAHAHA

How ironic... someone registered www.jkshdfkljh23sadf.com as a parked domain. Wow these ppl need help.

The Internet is not HTTP

For those that don't get it yet: this breaks every other protocol that isn't HTTP.

Sigh, and for those who still don't get it: HTTP is what your web browser uses to get web pages.

All those who are spouting "it's useful" or "I don't understand what the fuss is" or "why can't they do it?"... you simply don't understand the issues and shouldn't be commenting.

Re:Even happening with Lynx

Just tried it in West Hollywood area using lynx as the browser. Even then it is getting diverted to their page. Pretty sneaky.

... you don't really understand how this whole DNS lookup thing works do you?

Here's why:

It means that ISPs intercept server requests and redirect the user to a different server. In this particular case, you're right - whether I get Firefox to display a 404 message or a page from RR, Verizon or any DSL that essentially says "This site doesn't exist, but try searching through here" doesn't matter to me. I'll just type the address in again.

However, there is one instance where this issue matters right now: a lot of site monitoring still relies on pings or basic server lookups to figure out whether the server is up and running. This feature would immediately screw with that kind of monitoring. Basically, you cannot assume anymore that because a dns lookup or a ping returns a positive result that the server with that hostname is actually alive or in the DNS tables. Yes, there are ways around that, but it basically breaks one of the central tenets of the internet: the intelligence is on the edge of the network, and everything in between is just a packet forwarder.

More significantly though is that it redirects a user to a place that wasn't requested. Basically, it means that from a technological perspective, this no different than RR or Verizon taking my request to www.google.com and redirecting it to their own search page. See why this can easily become a very, very big deal? I can guarantee you that this is a trial balloon by the ISPs to see how users react to this. If this goes through, expect that at some point in the future, you will have to jump through hoops to get to the site you want, and not the site your ISP thinks you ought to want.

This is another problem that will most likely have to be enshrined in actual law: ISPs shall not take a request and redirect it elsewhere. The potential for and likelihood of abuse is just too large otherwise.

Welcome to the intelligent network. It'll be a nightmare.

Re:And?

Let's not forget the .cum TLD; that kind of typo can kill productivity for hours.

Re:So?

The problem here is that what TW is doing breaks DNS. By the RFCs, when I try to resolve a name that doesn't exist, I'm supposed to get an NX "record does not exist" result. What I get instead is an affirmative A record "name exists at this address" response. What happens at the browser level is irrelevant, TW's DNS system has already lied about the state of the DNS records associated with a given domain. This badly breaks a lot of things that aren't browsers that use HTTP and depend on correct NX responses to tell them when the server they're trying to talk to doesn't exist.

As long as TW doesn't block direct use of non-TW DNS servers this can be worked around. If they start blocking that access, or redirecting all DNS traffic to their servers, then we've got a major problem on our hands.

Re:So?

Say you've got a program on an embedded device that automatically downloads updates. It retrieves "http://updates.devicecompany.com/model/latest-firmware.txt" to check what the latest offered version of the firmware is, and if the latest is greater than what's installed it retrieves "http://updates.devicecompany.com/model/firmware-.dat" and installs it. If the company goes out of business or stops providing updates, updates.devicecompany.com won't resolve anymore or will return a 404 error, so the device doesn't need to do a whole lot of error checking. And error checking means more code, which means more memory needed to hold that code, and this device is designed to be as cheap as possible so it omits anything it doesn't need.

Now, suppose the company goes out of business. No problem for the device, the host it's at is supposed to not resolve anymore so it won't try to contact it. But now TW intervenes. Instead of failing to resolve or getting a 404 error, the grab of the latest firmware version returns garbage (an HTML page, not a properly formatted indication of the latest firmware version). Bam, device crashes. Or worse, it misparses the results and tries to download new firmware. Again, garbage (HTML page) instead of a valid firmware image. But since there's no error checking, it tries to load that HTML page into memory as a firmware image. Bam, one insta-brick.

Or suppose the device isn't even using HTTP. The DNS servers don't know what protocol the device intends to talk, it could be logging into an FTP server or querying data via SNMP for all TW knows. The application gets bogus DNS responses anyway, even though it's not using HTTP or the Web at all. Breakage is the least problem here. The application's sending things like passwords up to the server. Even if it uses SSL to protect against eavesdropping, the TW server is an endpoint and SSL won't stop the endpoint from seeing the data. Do you want to have applications handing your vendor-support-site passwords over to TW because of a typo in a hostname? I sure don't.

This isn't a problem when it's a human running a browser looking at pages. But there's a large chunk of traffic that isn't humans, isn't a browser, and isn't using the Web at all. And TW's change breaks everything except that small, select chunk that's humans looking at a browser window. Bad thing, that.

Re:Didn't a registrar do this?

There was. What TW's doing is more pernicious, though. When NetSol was doing it, they were returning the A records directly from their first-level nameservers. BIND's no-delegation option can deal with that, because those first-level nameservers aren't supposed to be returning A records and BIND can translate those response into proper NX responses. With TW, since their DNS servers are supposed to be returning A records, there's no way to tell whether a particular affirmative response is valid or invalid. The only way to fix the problem is to cut TW's servers out of the loop entirely. All well and good, until of course TW either starts blocking all traffic to port 53 that's not to their DNS servers (like they do with outbound to port 25 now) or silently redirecting all DNS queries to their servers. Note that both of these are trivial, my own firewall has (commented-out) rules for both and neither takes more than about 3 lines.

Re:In the grand scheme of things

I care because if I typo an address, I can click in the URL bar and edit it. When I am redirected to a f*cking helpful search page, I can't do that anymore. I have to select, cut, edit, a whole GET string. It's a pain in the ass. Also, some people use other network enabled stuff than a browser.

I have FiOS at home and luckily VZ has an opt out if you want to go configure your DNS manually in your router.