ISPs Improve Their DNS Hijacking And How To Stop It

This is also how OpenDNS makes money. Neustar does the same. And probably others too. They call this "DNS service". Anyone can run a resolver, including your next door neighbor. Unless you live next to a datacenter, your neighbour's "DNS service" will likely be faster than Google's or any commercial vendor. It's been suggested the optimum number of users for a decent cache is probably around 10 [source: IPJ]. Can you trust 10 people not to poison the cache? How many users do you think the "DNS service" providers have? Can you trust each and every one of those users? As for DNSSEC, most people running authoritative nameservers for websites do not support it, let alone most domain name registries.<p>Interesting to note: no rDNS for either of those IP's.

I believe Comcast stopped this as of their network-wide DNSSEC deployment.<p>Either way, the article provides a pretty interesting way around it, but I can't expect ISPs hell-bent on false lookup spoofing to sit on their hands for long enough to make this a practical long-term solution.

This is one of the many problems that DNSCurve solves, by setting up encrypted and authenticated connections between you and any DNS servers you decide to trust.<p><a href="http://dnscurve.org/" rel="nofollow">http://dnscurve.org/</a><p>OpenDNS already supports it:<p><a href="http://blog.opendns.com/2010/02/23/opendns-dnscurve/" rel="nofollow">http://blog.opendns.com/2010/02/23/opendns-dnscurve/</a>

I don't quite understand how the new method of hijacking gets around using 3rd party DNS servers. If I ping nonexistentdomain.tld, doesn't that lookup occur at the 3rd party server? How does my ISP inject its own IP address for that domain if the IP address is coming from (for example) Google? Are they intercepting the entire DNS query?

There's a solution to all this, where you will <i>always</i> get the right response, and it even obviates the need for DNSSEC or DNSCurve.<p>And that is, write your own resolver that only sends nonrecursive queries to authoritative nameservers.<p>If the DNS admin has configured DNS simply and sensibly, it will only take you 2 queries to get a name resolved. It's very fast.<p>If they are using Akamai or some other CDN, or they have a love for CNAMES and indirection, it can take many more queries. Sometimes up to 7.

What is so insidious about ISPs serving ads on un-occupied domains? I can't see who it hurts and seems like a rather clever way to monetize dead space.

I'm on Time Warner and just tested this. Could not reproduce.

I want to know whether the false NXDOMAIN (saying the domain is actually present at the address of your isp) is dnssec-signed.<p>If it isn't, oh well.<p>If it is, this is an exploit and is big news.

Don't bloggers have to disclose affiliate links now?

Doesn't this mean ISPs themselves couldn't use their own DNS servers for a reliable DNS service?<p>Talk about not drinking your own Kool-Aid...

Won't DNSSEC stop this, hopefully?

Run your own nameserver(s)?