Friday, September 25, 2009

DNS Redirection and how it will break things

Some hot debate around the implications and rightness of service providers to do things like traffic filtering, session hijacking

Here's a summary if you don't want to read the details:
DNSBLs probably don't work anymore for Comcast users
Owned domains (semicomplete.com, google.com, etc) are also subject to hijacking. Domain owners cannot opt-out.
Down dns servers may result in full-domain hijacking by Comcast (due to dns search suffix and retry behavior)
Privacy/security/cookie leak due to domain hijacking
There is an IETF draft to formalize/standarize this destructive behavior that ignores consequences and impact, and neglects important points.
Sometimes Domain Helper malfunctions and steals valid hostnames, like www.google.com: screenshot here ; or a video
Web browsers aren't the only things using DNS.

All of the samples below are real data I observed while digging into this issue. They are not faked.

Comcast recently finished rolling out their new Domain Helper software. This tool intercepts responses from other DNS servers and replaces them with forged responses that point to comcast's search portal. It currently modifies responses that indicate 'no such hostname'; in DNS this response is called NXDOMAIN.

More info: www.semicomplete.com/blog/geekery/comcast-dns-hijack-breaks-things.html

No comments: