Xaprb

Stay curious!

Why is Embarq hijacking my DNS?

with 14 comments

Isn’t this the same thing that happened a few years ago with ICANN or Verisign or one of those big names? (strangely, I can’t find relevant search results about this!).

I clicked on my toolbar shortcut for Toggl and my Embarq DSL service redirected me to a search-results page instead of telling my browser the truth. This makes me mad. The core layers of the Internet are designed the way they are for a reason and I don’t want to “opt out” of a stupid DNS hijacking stunt I never opted into.

Here’s a screenshot of what happens when I type in any old non-existent (or, in Toggl’s case, timing-out) domain name.

Embarq screwing with my DNS

And here’s what happens when I do a DNS lookup:

baron@kanga:~$ dig www.toggl.com

; <<>> DiG 9.4.1-P1 <<>> www.toggl.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27795
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.toggl.com.                 IN      A

;; ANSWER SECTION:
www.toggl.com.          22      IN      A       66.199.249.106

;; Query time: 72 msec
;; SERVER: 208.33.159.39#53(208.33.159.39)
;; WHEN: Fri Nov 23 15:50:14 2007
;; MSG SIZE  rcvd: 47

baron@kanga:~$ ping www.toggl.com
PING www.toggl.com (66.199.249.106) 56(84) bytes of data.
64 bytes from 66-199-249-106.reverse.ezzi.net (66.199.249.106): icmp_seq=1 ttl=53 time=79.2 ms

Did I mention that this makes me mad? Time to get on the phone.

PS: it looks like Verizon is doing it too.

Written by Xaprb

November 23rd, 2007 at 5:04 pm

Posted in Uncategorized

Tagged with , , , ,

«
»

14 Responses to 'Why is Embarq hijacking my DNS?'

Subscribe to comments with RSS

  1. Well, much like Verisign I’m guessing their doing it for the ad revenue.

    Wiki has a good read on the original Verisign site finder.

    http://en.wikipedia.org/wiki/Site_Finder

    William Newton

    26 Nov 07 at 11:26 am

  2. Earthlink is doing it too – AND they are sending a personal ID traceable to each of their users (me too) to this site. yesterday they blocked access to alternative DNS name servers listed on DNSserverlis.org.
    There are numerous articles on this, including two on their own defunct Earthling blog site – this started August 2006. Now it (DNS wildcarding) has just gotten worse.
    See
    http://blogs.earthlink.net/2006/08/handling_dead_domains_1.php
    http://blogs.earthlink.net/2006/09/update_on_dead_domain_handling_1.php
    Earthlink technical support feigns complete ignorance and is telling me that it has always been this way – they are lying through their teeth.

    Bas V

    7 Jan 08 at 2:37 am

  3. Yeah, I saw that too. I love how they repeat that their goal is to improve the user experience while generating more revenue. I think the real goal is to generate more revenue in a way they think they can just barely get away with.

    More on Embarq’s antics: the “opt-out” is cookie-based. It doesn’t turn off the behavior for my DSL connection, as they imply.

    I’ve about had it with Embarq, not only for this reason but also because their DSL performance frequently sucks. I think I’m going to just cancel their service and use Blue Ridge Internetworks, a local, friendly company whose staff I know. As one of their people wrote to me, they have their own, non-altering DNS servers. I’m only putting it off because I’m writing a book and I don’t want to touch anything until it’s done.

    Xaprb

    7 Jan 08 at 9:10 am

  4. http://www.opendns.com/

    Splithorizon

    29 Jan 08 at 2:10 am

  5. Here’s the response I got from Embarq:

    There is not way to permanently disable the search redirect short of hard coding your DNS servers to those such as the servers from opendns.com. The Opt Out is stored in a cookie, so when your cookie are cleared, you are no longer opted-out.

    Is it just my imagination, or does DNS not work that way? When I request http://kq278vb9bv5.com/, my browser sends a DNS request to the router, which queries Embarq’s DNS tables. Embarq sends back a spoofed IP that points to one of their servers. Only then would my browser send a cookie, as part of the GET request. So, it’s quite impossible for the opt-out to be cookie-based.

    Tim McCormack

    30 Jan 08 at 7:09 pm

  6. We can actually provide that to you just fine, without relying on cookies. Just setup a free account (with dynamic IP support if yours dynamic) and email our support group for the next steps.

    Tell ‘em I sent you. :-)

    -David (from OpenDNS)

    David Ulevitch

    31 Jan 08 at 6:20 pm

  7. @David: Splithorizon mentioned OpenDNS above. I’m using it on my laptop for now, but I’d like to see the ISP stop this practice altogether, I see the spoofing as a first step towards more invasive practices.

    We can actually provide that to you just fine, without relying on cookies.

    As I noted above, it would be extremely impressive for someone to rely on cookies, given that it seems somewhat impossible.

    Tim McCormack

    31 Jan 08 at 9:28 pm

  8. What OpenDNS is not telling you is that they do EXACTLY the same thing–they will redirect dead domains and typos to their revenue-generating page!

    So you cannot look to OpenDNS to fix this hijacking problem! It gets you no benefit–except you’re then transmitting your data through ANOTHER company with its own set of privacy policies and corporate partnerships.

    Kelly

    25 Apr 08 at 8:54 pm

  9. @Kelly: Actually, OpenDNS is very clear on this — but they allow you to turn it off completely, unlike Embarq.

    Tim McCormack

    25 Apr 08 at 9:21 pm

  10. It has happened to me too!

    I went to look on Google and somehow the OpenDNS marketing machine has gotten to nearly everyone.

    This violates legislation in the United States. They essentially hacked into my conversation with DNS and hit me with a ‘man-in-the-middle’ attack. This stopped me dead in my tracks while I was recovering a server from backup, upgrading a machine and commissioning a new server on my network here. I was not sure what was wrong at first. I happened to be testing uploads on the Internet with a client as well as all the other stuff. Even now I am not sure who is responsible. There are four devices between me and OpenDNS and four or more other companies involved. Who is the culprit? I still do not know.

    This is beyond wrong. I have the option of simply setting DNS to my own DNS servers. That is what I will be doing, pronto. However, that only helps me work around something evil. It does not remove that evil.

    People do this stuff because the law does not stop them and they make a net profit. That’s what drives SPAM, of which this DNS hijacking is just another lame variant. They KNOW beyond a shadow of a doubt that they are doign a bad thing. They will never be stopped unless they are financially punished.

    I am easy to find on the Internet by my name. If you are starting a class-action suit against these guys, count me in. I have lost a bunch of time on this and that takes the bread off of my table.

    DaN S

    8 Jul 08 at 2:54 pm

  11. i still don’t know what the answer is to this problem… does embarq provide an alternative dns? the current solution does not work. you have to re opt out every other day.

    trashy mail

    20 Aug 08 at 3:17 am

  12. I have been affected by this illicit process as well. I would be all in for a class action suit. We pay for these services and also many of us as I do pay for address blocks. It is my thinking that (within reason I should be able to use these addresses functionally)?
    I discovered that embarq substitutes my PTR records with their own. This is almost like identity theft?

    Robert

    5 Sep 08 at 2:40 pm

  13. My only options are Embarq or Cox and Embarq is faster and less expensive. I’ll have to deal with using Embarq with OpenDNS until there’s another alternative.

    and I don’t love SQL but I guess I have to type the required word anyway. I do love mySQL the open source alternative.

    Stan

    5 Aug 09 at 11:48 pm

  14. I know the thread took off quite some time ago, but in the case that anybody like me is reading them to the end I have my sad words to enter.

    In regards to Sprint/Embarq/Centurylink hijacking your ptr records, not really, they never gave them up to you in the first place. I’ve had this issue myself, but knew the proper way to get this done was by following the hierarchy set out by IANA. This led me to looking through soa and txt records until I found the IP services department of Sprint and an e-mail address. Upon sending an e-mail inquiry, I was told that even business dsl circuits cannot have their ptr records changed to the users needs, even with the $20/month I was paying for a block of 8 statics.

    The reasoning I will assume that is behind this is that in the Terms of Service for DSL, that I do not really own the IP addresses and even if I rent static addresses they are not guaranteed to be for me forever. I once had a day of discovery about all of this when my internet service did all of a sudden stop working. When I called into sprint they told me they had reassigned my block to another area and provisioned by 8 different ones (thanks for the forewarning ****ers).

    Back to IP services response though, they said they only adjusted ptr records for circuit users (I’ll assume they dummed it down for me because they thought I wouldn’t know what a T carrier/Frame Relay… would be) and they didn’t even give me switched (i.e. circuit switched) so they over dummed it down to where I could make no sense of it, other than to assume.

    Anyway… that’s my have of it. In general, you have to be paying 10x as much as your neighbor for less bandwidth to get these fun services. God knows I would have setup my own SMTP server and so on if only I could have gotten a reduced rate on what a T-carrier package entails while in high school.

    Dru

    27 Aug 10 at 7:50 pm

Leave a Reply