0 22 min 1 yr

Oct 2, 2014: How malicious are ISPs or Spectrum Kings? Some are already practicing DNS hijacking, messed up but obviously may be not illegal, paid to keep things in a state of low-clarity confusion and public service agents for that affect. Yet for some reason there are ISPs that do this and have been getting away with this for years. Even stranger is that it’s apparently tolerated, by clients as well as law.

Helped a friend who couldn’t connect to his server, it turned out that the issue was because his ISP, TalkTalk, was returning the wrong IP address for his domain name ! TalkTalk’s DNS said, obviously that’s not the IP we were looking for.

I helped him change his DNS settings to use domain name resolvers that don’t commit man-in-the-middle attacks. A recent similar attack on users was caused by the DNSChanger virus.

A ‘whois’ reveals the IP is assigned to Barefruit.

Barefruit is a company that helps ISPs patch and break their DNS software (Bind, djdbdns, PowerDNS) to make sure they hijack user’s DNS queries. Their solution substitutes NXDOMAIN (non-existant domain) replies with A records to an IP that hosts spam (non solicited advertising).

Because Barefruit thinks that “Server not found” or “This webpage is not available” is unintelligible… . If a person does not understand “This webpage is not available”, how could they understand any other web page that contains words ? Or worse, how can they even understand that they mistyped the website’s url ?

Their goal of course is good old user monetisation. Even error pages can generate revenue. They demonstrate having no shame as they write:
Barefruit has spent the past five years building strong and mutually beneficial relationships with our best-of-breed advertising partners, working together to provide useful results to our customers and generating the maximum revenue from ISPs’ error pages.

I must point out that these pages are not “ISPs’ error pages”, they are “user’s error pages”.

Barefruit has a page on “Opt Out” which is even more ridiculous. Barefruit recognises that some people – mainly technically savvy advanced users, may wish to opt-out of this service. Besides the fact that it should be “Opt In” if anything, actually using the address bar has become something that “mainly technically savvy advanced users” only ever do. But mostly, how many people even understand the implications of this ? Every user who understands what’s going on should want to opt-out. These ISPs are undoubtedly taking advantage of their customer’s ignorance.

The damage list goes on. Not all services are HTTP based, so when you try to connect to a non-web server you don’t even see the advert/spam pages. This can make it more difficult to figure why your application might be failing, but even worse, all traffic you might be trying to send to the server you were trying to reach is intercepted by Barefruit (they can take it or leave it, but they are technically intercepting it).

There is absolutely no good reason to accept this, unless you think it’s a good idea for a phone company to redirect their customers to a cold caller when they misdial a phone number. It’s exactly the same thing.

It’s not just TalkTalk who’s doing this, there are many many more including Virgin Media. In fact I haven’t (yet) found a full list of ISPs who hijack their client’s DNS and redirect traffic to their own servers. A friend of mine showed me that Virgin Media also does this.

Some might react by thinking of using 3rd party DNS, why not, but beware, most of them do the same thing, like OpenDNS, DNS Advantage, Norton DNS and probably others. Google DNS does not hijack DNS so far, I believe they are smart enough to not do that and be satisfied with the data they gather.

You can test if your ISP does this by either trying to visit a domain that clearly does not exist, like this link for example. You could also just use dig to search.

As you can see, we get a status: NOERROR where we should have status: NXDOMAIN and the IP belongs to Barefruit again. Others such as OpenDNS and Norton use their own IPs.

These DNS servers are so desperate they’ll resolve anything that has a dot.

The only case for this to be acceptable is when a user explicitly chooses to use such a service and understands the implications. There may be some interesting positives uses, but certainly not done without your consent.

You can “opt-out” of these services they say, but here’s the thing, DNS is such an important aspect of the Internet that messing with that is exactly the opposite of what we should be doing. It can lead to phishing, censorship and other malicious activities. Altering the content of communications is probably very illegal, and this is that.

My ISP has recently started to do some dodgy stuff with non-existent domains. For example, when I do an nslookup for a domain which doesn’t exist, I get redirected to their Google mirror:

Wonder if they get a cut of any Adwords delivered to the custom search page.

Monitizing your internet usage – that is the point of what is being done. So yes, they will, in effect earn an income from it.

I have no idea how this solution works, but there are many devices where you don’t even need to load up the search page – they gather the stats via the failed DNS requests. Others will be standard click-throughs, or impressions of the search page.

Point is, if they use it to improve their bottom line, and therefore offer a lower cost service to us, then sure, go ahead. Your internet usage is (mostly) not private, and there are many points along the chain where others can derive statistical information.

Like always, if you have a need to secure your information, you should. You can use a VPN service to bypass the eftel proxy clusters and start your internet endpoint anywhere in the world. For most people this is not needed though..

Andrew, if you have the time and courage you should file a complaint with your ISP stating that they are tempering with your data communications and/or impersonating TLD servers.

Meaning, when you ask for domain-that-really-doesnt-exist.com, the .com server replies “Doesn’t exist, status: NXDOMAIN”, at this point Eftel’s resolvers (your ISP), which acts as a cache/relay server, alters the information.

You can confirm this by asking the .com servers yourself for this info.

Leave a Reply