Stop Comcast from DNS Hijacking Redirects

Comment from James
Time: August 10, 2009, 2:42 am

They (Comcast) are not alone in this regard. I don’t know which ISP started the DNS redirect trick but almost all ISP’s are doing it now. The ads are income for them and if your competitor is making money that way then you will follow.

Two alternatives, because Opt-Out may not be enough. i.e. some Opt-Out schemes only set a cookie on your browser and if you clear cookies you are right back where you started and have to Opt-Out again. Unless you change the DNS IP Addresses on your router, you will likely have to Opt-Out over and over.

1. Switch to OpenDNS – It’s free and it works great. http://opendns.com/
2. Use Level3’s open DNS Servers 10.0.0.2, 10.0.0.3, 10.0.0.4, 10.0.0.5

I actually like the OpenDNS service because I have kids and I can filter the content by turning on the filters. (Optional). It’s also quite a bit faster then DNS thru my ISP.

If your company uses Split Tunneling HTTPS Virtual Private Networking (VPN) then this DNS redirect will wreak havoc with your ability to resolve host names, etc. even while connected to VPN. We had to turn off the split tunneling feature on our VPN because all the ISP’s were breaking the DNS specifications by their hijack/redirect trick.

From Wikipedia: Several consumer ISPs such as Cablevision’s Optimum Online, Comcast,Time Warner, Rogers, and Bell Sympatico have also started the practice of DNS hijacking on non-existent domain names, for the purpose of making money by displaying advertisements. This practice violates the RFC standard for DNS (NXDOMAIN) responses, and can potentially open users to cross-site scripting attacks.

The concern with DNS hijacking has to do with this hijacking of the NXDOMAIN response. Internet applications rely on the NXDOMAIN response to describe the condition where the DNS has no entry for the specified host. If one were to query the invalid domain name (fakeexample.com), one should get a NXDOMAIN response – informing the application that the name is invalid and taking the appropriate action (for example, displaying an error). However, if the domain name is queried on one of these non-compliant ISPs, one would receive an IP address belonging to the ISP. In a Web browser, this behavior can be annoying or offensive as connections to this IP address display the Web page of the provider, sometimes with advertising, instead of a proper error message. However, other applications that reply on the NXDOMAIN error will instead try to connect to this IP address, potentially exposing sensitive information like logins.

http://www.faqs.org/rfcs/rfc2308.html
http://www.rfc-editor.org/rfc/rfc2308.txt

Comment from James
Time: August 10, 2009, 2:42 am

They (Comcast) are not alone in this regard. I don’t know which ISP started the DNS redirect trick but almost all ISP’s are doing it now. The ads are income for them and if your competitor is making money that way then you will follow.

Two alternatives, because Opt-Out may not be enough. i.e. some Opt-Out schemes only set a cookie on your browser and if you clear cookies you are right back where you started and have to Opt-Out again. Unless you change the DNS IP Addresses on your router, you will likely have to Opt-Out over and over.

1. Switch to OpenDNS – It’s free and it works great. http://opendns.com/
2. Use Level3’s open DNS Servers 10.0.0.2, 10.0.0.3, 10.0.0.4, 10.0.0.5

I actually like the OpenDNS service because I have kids and I can filter the content by turning on the filters. (Optional). It’s also quite a bit faster then DNS thru my ISP.

If your company uses Split Tunneling HTTPS Virtual Private Networking (VPN) then this DNS redirect will wreak havoc with your ability to resolve host names, etc. even while connected to VPN. We had to turn off the split tunneling feature on our VPN because all the ISP’s were breaking the DNS specifications by their hijack/redirect trick.

From Wikipedia: Several consumer ISPs such as Cablevision’s Optimum Online, Comcast,Time Warner, Rogers, and Bell Sympatico have also started the practice of DNS hijacking on non-existent domain names, for the purpose of making money by displaying advertisements. This practice violates the RFC standard for DNS (NXDOMAIN) responses, and can potentially open users to cross-site scripting attacks.

The concern with DNS hijacking has to do with this hijacking of the NXDOMAIN response. Internet applications rely on the NXDOMAIN response to describe the condition where the DNS has no entry for the specified host. If one were to query the invalid domain name (fakeexample.com), one should get a NXDOMAIN response – informing the application that the name is invalid and taking the appropriate action (for example, displaying an error). However, if the domain name is queried on one of these non-compliant ISPs, one would receive an IP address belonging to the ISP. In a Web browser, this behavior can be annoying or offensive as connections to this IP address display the Web page of the provider, sometimes with advertising, instead of a proper error message. However, other applications that reply on the NXDOMAIN error will instead try to connect to this IP address, potentially exposing sensitive information like logins.

http://www.faqs.org/rfcs/rfc2308.html
http://www.rfc-editor.org/rfc/rfc2308.txt

Comment from Khürt Williams
Time: August 10, 2009, 5:35 am

I am a Comcast customer. Long ago, I setup my router (Apple Time Capsule) to use OpenDNS. Best decision ever.

Comment from John Shirley
Time: August 10, 2009, 6:27 am

I’ll second the remarks on OpenDNS. Comcast has always done strange things to DNS, but when OpenDNS arrived, I jumped on it. It’s free… as in beer. There’s an OSX auto update client for it, too. Mmm… beer.

Comment from JL
Time: August 10, 2009, 10:10 am

Obviously of course, OpenDNS does DNS redirect also by default…

Comment from Nowrap
Time: August 16, 2009, 6:50 pm

Comcast does have a list of their DNS servers that DON’T use their “helper service.” http://dns.comcast.net/dns-ip-addresses.html It was given out on their blog and within a comment on a post, so it wasn’t exactly them shouting it to the rooftops.

Pingback from Random MomBlog :: Opt-out of Time-Warner/RoadRunner’s DNS Hijacking :: September :: 2009
Time: September 16, 2009, 6:23 am

[...] I am opposed to ISP DNS Hijacking for many reasons (DNS needs to be trustworthy, DNS needs to follow the RFC standard and return “Not Found” as specified especially since my browser would then tack on “.com” for me, I already pay TWRR more money for less bandwidth than most other developed nations so I resent this standards-breaking monetization), but luckily today I found the opt-out page. Thankfully it’s easier and less intrusive than Comcast’s opt-out. [...]

Comment from JXL75
Time: October 23, 2009, 6:47 am

Notify the appropriate law enforcement agency. ,

Comment from Alpha
Time: October 25, 2009, 7:10 pm

One thing I liked about switching to a Mac is that I could enter something like “CNN” in the Safari browser and it would infer the “.com” or “.org” part. Time saver when day trading and such. But Comcast has stolen that from me with their hijack. Even after the Comcast opt out, this functionality is GONE. I am pissed at Comcast.

Comment from Bardenboo
Time: November 12, 2009, 11:22 am

Do you get your Internet connection via Comcast? If so, beware they’ve
instututed something called ‘DNS hijacking’, which in this case means that you
will be taken to a page with junk ads if you try going to a webpage that doesn’t
exist, for example, if you type in facebookkk.com accidentally. Typically,
you’ll get “page not found” or something similar, depending on what browser
you’re using.

With the Comcast ‘hijack’, they try and get ad revenue from your typos! If you
find this irritating, and if on general principle you detest Comcast, then you
‘opt-out.’. Naturally, Comcast makes opting-out a complicated process. There is
a lengthy way for a user to opt-out online. Alternatively, call customer
service. As far as I can tell, customer service has been instructed to
vigourously deny the DNS hijacking. However, I pressed the matter and insisted
the customer service agent do the work of opting-out for me.

If you call customer service, and if you get problems, ask for agent number
30649. He knows all about how to opt out. He helped me, and he will have to help
you, too.

Spread the word far and wide.

Comment from X User
Time: January 23, 2010, 1:23 pm

Well apparently someone ’switched’ me to Open DNS without my permission!!!

How to get rid of this foul thing????????????????????

Pingback from Preventing DNS hijacking by your ISP… | Mbah.Net
Time: January 24, 2010, 12:19 pm

[...] is a link and interesting discuss on doing this if you use comcast. I’ve always found it annoying when you get redirected to a [...]

Comment from Jason
Time: January 25, 2010, 7:19 pm

Use Google DNS. It’s free and solved ComCast from bugging me.

I just set my DNS servers according to: http://code.google.com/speed/public-dns/

Beautiful.

– Jason