Tuesday, December 9, 2008

You don't need to be a hacker to abuse DNS

This morning I woke up, took a shower, and went straight to my laptop to let everyone on Twitter know that I had made it through another night, and had even decided to bathe. Unfortunately for me and my loyal followers, Optimum online had some tricks up its sleeve. It seemed that my DNS servers could not resolve www.twitter.com or twitter.com. Hmm. Check out Google. It's up. CNN? Up. Log on to EVDO, Twitter is fine. What the heck?

This DNS error was not like any I was used to seeing. I wasn't getting a vanilla browser message saying the page could not be displayed. No, I was getting an Optimum branded page telling me that the "domain could not be found." Fortunately, the page offered me a variety of SPONSORED and pay-per-click links that I could burn some time clicking on. Of course, when you follow the links that actually go to Twitter, DNS still would not resolve, and I'd end up on the same "domain not found page," where I could click on more links and generate more cash for Optimum online.

Optimum better shape up. Fios is in town now, and I don't like it when my ISP earns cash if their DNS servers screw up. Let alone the thought that they could intentionally force DNS glitches in order to generate some fast cash via sponsored links. What a racket!

Lets not forget about the bad habits this teaches end-users. "The server you were looking for cannot be found, so here click on these links instead." I can't wait until I see a message like that on my banks web site!

Who thinks ISPs would not stoop so low as to launch DNS attacks against their own customers? As far as I'm concerned, thats what Optimum did to me.


Anonymous said...

Some ISP's have been doing much worse things. Like replace adverts in the HTML of the page with their other adverts. You'd think adverts, who cares about those (in this case the ones one ISP was replacing was from a charity, so not very nice to start with). But they are changing content, that's just unbelievable ! So I would really like to see more DNSSec/DNSCurve, SSL, etc. Eventhough SSL and DNS have their problems right now. For DNS there are 3 possible ways to fix it, let's get them in the field. Because if we can guarantee DNS we can start with the rest as well, DomainKeys, maybe something for SSL ?

Anonymous said...

While I'm at it, IPv6 would be a good way to get everyone one or more IP-addresses for SSL. Having 'SSL-vhost' support would also be nice ofcourse, but getting people to use IPv6 would also improve other things. ;-)