Tellingly, the article almost completely ignores the apparently sizable number of US ISPs that return something very different from NXDOMAIN ("not found") when you ask for a nonexistent domain name.
This is why I use Google's DNS servers (8.8.8.8, 8.8.4.4).
I was surprised by this rather recently, when my girlfriend and I moved in with her brother to conserve finances (both his and ours, since their other brother had just moved out leaving him with larger-than-payable bills). I mistyped a URL and it came back with an ISP-provided search page, which infuriated/surprised me. As it turns out, I only had the wireless connection set to use GDNS, but I was temporarily using a wired connection until I could buy a new wireless router (the previous one was a modem/router combo from the ISP, despite the fact that when I returned it the woman at the desk "corrected" me when I told her I was returning the router, saying that they don't deal with routers. I just smiled, did my business, and left.)
You hate the ISP doing it, but you'll freely give Google a list of all sites you visit? Admittedly this doesn't tie to your Google account directly, but if you hit it recently enough for both requests to have a similar time and IP address... you can figure the rest.
I prefer to use OpenDNS. They do show a search page, or a "not responding" page, but they don't bug or track me that I'm aware of.
It's not a uniquely American thing - Telstra/BigPond in Australia do it too, partnering with Yahoo search.
It's frightfully annoying (but easily disabled for the technically-aware), because it actually redirects - this means fixing newss.ycombinator.com requires retyping the URL in its entirety.
I understood the whole article is supposed to be about them, except that this fact is very much disguised by a poor quality of the article.
The statement of "DNS server in question not passing the query directly to the search engine but through a host of other URLs" is factually nonsense - DNS server only is supposed to pass the query (that being a query for an A/AAAA records in the browser case, not the search query as they imply) to the authoritative servers within the hierarchy.
I think what this article means is as follows:
- the browsers try the name lookup on the DNS before treating the contents in the address bar as a search query.
- this treatment happens if the DNS replies NXDOMAIN
- if the domain exists (the browser gets A/AAAA record), the browser contacts the server in the reply.
- so the malicious DNS servers take the queries for which they are supposed to return the NXDOMAIN and instead interpret them and return the A/AAAA answers pointing to the servers filled with ads related to the keyword which was present in the DNS query.
- this is bad.
Of course this kind of "setup" breaks other applications besides the web - but, HTTP being north of 90% traffic volume, no-one cares too much, probably.
My ISP (Windstream DSL) started redirecting nxdomain responses years ago. I noticed when I mistyped a host alias I had set up for ssh and got back `connection refused` when it was not even a fully-qualified name.
Thankfully VeriSign did this to .com once with their SiteFinder service, so FOSS DNS servers generally have good support for assigning a particular IP address as "this is really NXDOMAIN". (Nowadays, I'm running Unbound locally anyway for DNSSEC.)
EDIT: the opening paragraph used to read "My ISP started doing this," but a closer look at TFA indicates this issue is about intercepting DNS queries to existing, legitimate search providers in order to substitute paid results.
If disclosed, and the customer also receives an indirect benefit (cheaper service), is this any worse than similar tracking via the Google Toolbar, and all the various page-insert sensors (Analytics, AdSense, +1, etc) reporting a significant and growing amount of all web activity back to the MotherPlex?
(That is, setting aside the obviously evil practice also alleged in this article of sometimes using these redirects for click fraud.)
This assumes that the customer has the option of choosing another service if they don't want to "opt-in" to such bullshit.
Sadly, in many places in the US, especially those places served by the ISPs mentioned, that is not the case. In the absence of reasonable choice (roughly the same speed of service) this becomes something that should be regulated.
Again, these kind of things would all go away if we had public last-mile fiber that ISPs could lease. Regulation is a poor substitute for true competition.
The customer usually has the choice of self-help against such bullshit, even without changing ISPs, via using alternate DNS servers, a VPN, or other techniques. Education remains a better solution than regulation.
...makes it clearer the affiliate-payments scam, making these redirected searches look like paid clickthroughs, is central to the Paxfire approach. That's clearly fraudulent, and not equivalent to the Google tracking. (If they were just collecting interest/trsffic/targeting info, then the equivalence I suggested above would apply.)
Time Warner does this too - but offer a control panel allowing you to disable this. Would be great if the control panel actually worked or remembered that setting since I see it again every few months.
My rather large ISP, Charter, has been redirecting not found domains requested from a browser to a query on 'searchassist.teoma.com' for a few years. Very annoying; I block it in my hosts file.
Last I checked, Charter blocks outgoing DNS to servers other than theirs. Based on searching around, it sounds like they go back on forth on that policy.
Perhaps it varies by area? I'm in Wisconsin and I've been using 8.8.8.8 and/or 8.8.4.4 since I started getting service from Charter about a year ago, and I've never had a problem with it. Of course, doing that means I never noticed that they hijack NXDOMAINs, which definitely drops them a few notches in my eyes. I've had other ISPs do that to me; it's kind of infuriating.
So, instead of watching the terms you type into Bing, it watches the terms you type into the address bar. So if you put "apple" instead of "apple.com", the DNS server will redirect you instead of sending NXDOMAIN and letting your browser handle things (either failing or searching with your configured Google/Bing/etc engine).
When I first saw the headline, I thought the DNS server was reading my URLs, which would have been really interesting because it's impossible :)
Actually, when your browser sends a DNS request to your ISP's DNS server, it seems to redirect you to a proprietary search page providing suggestions for an invalid request. The whole URL isn't involved, but the domain part is.
It's funny- my initial response was going to be "use the Google DNS servers! 8.8.8.8, 8.8.4.4!", but I suppose they could be logging all sorts of information about me, too...
They store which ISP you were using and your general geolocation. If you're living in the middle of nowhere and your ISP is "Bob's Internet and Shoe Emporium", then I could see it being a bit of a problem.
Geolocation isn't an exact science though, as anyone who has ever seen an ad saying that beautiful people in <reasonably close, yet still hilariously wrong city> want to meet you can attest, and the more disparate the ISP, the more wrong it becomes, since in most cases you only really have "this IP block belongs to this ISP" to go on.
You can get a court order to use this information to force Google to give you information that can be used to identify you with your ISP, but your ISP already has a lot more information on you anyway.
If you're really paranoid that Big Brother Google is keeping an eye on your internet habits, then you should fire up Tor and put the IP address for howtooverthrowtheusgovernment.com in your hosts file.
That geolocation data isn't any more granular than city/region, which they have a valid reason to want to know about (network latencies vary with significant physical distance). We're not talking about your street address here.
If you are concerned about such logging issues, you could use Level 3's servers. They operate 6 DNS servers at 4.2.2.1 through 4.2.2.6. I've heard people claim L3 discourages this, but from my use, that doesn't appear to be the case.
This was a really sloppy write-up, they didn't make it clear what is going on at all. This is redirection if you type in a domain name that doesn't exist, which isn't a new trick.
Interesting. There were two links posted before arstechnica, both dealing with the same issue, one from eff I think, and neither made it to the front page.
Vote Rigging or just brand brainwashing or maybe groupthink?
A working DNS server is a good thing.