DNS Hijacking via Barefruit Talktalk and Others

How malicious is your ISP ?

If they practice DNS hijacking then it's pretty damn messed up and should obviously be illegal. Yet for some reason there are ISPs that do this and have been getting away with this for years. Even stranger is that it's apparently tolerated, by clients as well as law.

Today I helped a friend who couldn't connect to his server, it turned out that the issue was because his ISP, TalkTalk, was returning the wrong IP address for his domain name ! TalkTalk's DNS said 92.242.132.16, obviously that's not the IP we were looking for.

I helped him change his DNS settings to use domain name resolvers that don't commit man-in-the-middle attacks. A recent similar attack on users was caused by the DNSChanger virus.

A 'whois' reveals the IP 92.242.132.16 is assigned to Barefruit.

inetnum: 92.242.130.0 - 92.242.132.255 netname: BAREFRUIT-ERRORHANDLING descr: NU country: GB org: ORG-BL53-RIPE admin-c: PR42-RIPE tech-c: PR42-RIPE status: ASSIGNED PA mnt-by: CATALYST2-MNT source: RIPE # Filtered

Barefruit is a company that helps ISPs patch and break their DNS software (Bind, djdbdns, PowerDNS) to make sure they hijack user's DNS queries. Their solution substitutes NXDOMAIN (non-existant domain) replies with A records to an IP that hosts spam (non solicited advertising).

This is what Barefruit claims (source, their website): Using Barefruit for DNS and HTTP error resolution improves the user experience for the vast majority of Internet users by suggesting relevant alternatives as opposed to serving unintelligible error messages.

Because Barefruit thinks that "Server not found" or "This webpage is not available" is unintelligible... . If a person does not understand "This webpage is not available", how could they understand any other web page that contains words ? Or worse, how can they even understand that they mistyped the website's url ?

Their goal of course is good old user monetisation. Even error pages can generate revenue. They demonstrate having no shame as they write:

Barefruit has spent the past five years building strong and mutually beneficial relationships with our best-of-breed advertising partners, working together to provide useful results to our customers and generating the maximum revenue from ISPs' error pages.

I must point out that these pages are not "ISPs' error pages", they are "user's error pages".

Barefruit has a page on "Opt Out" which is even more ridiculous. Barefruit recognises that some people - mainly technically savvy advanced users, may wish to opt-out of this service. Besides the fact that it should be "Opt In" if anything, actually using the address bar has become something that "mainly technically savvy advanced users" only ever do. But mostly, how many people even understand the implications of this ? Every user who understands what's going on should want to opt-out. These ISPs are undoubtedly taking advantage of their customer's ignorance.

The damage list goes on. Not all services are HTTP based, so when you try to connect to a non-web server you don't even see the advert/spam pages. This can make it more difficult to figure why your application might be failing, but even worse, all traffic you might be trying to send to the server you were trying to reach is intercepted by Barefruit (they can take it or leave it, but they are technically intercepting it).

There is absolutely no good reason to accept this, unless you think it's a good idea for a phone company to redirect their customers to a cold caller when they misdial a phone number. It's exactly the same thing.

TalkTalk and Barefruit hijacking DNS

TalkTalk and Barefruit hijacking redirect users to their own web servers

It's not just TalkTalk who's doing this, there are many many more including Virgin Media. In fact I haven't (yet) found a full list of ISPs who hijack their client's DNS and redirect traffic to their own servers. A friend of mine showed me that Virgin Media also does this.

Some might react by thinking of using 3rd party DNS, why not, but beware, most of them do the same thing, like OpenDNS, DNS Advantage, Norton DNS and probably others. Google DNS does not hijack DNS so far, I believe they are smart enough to not do that and be satisfied with the data they gather.

You can test if your ISP does this by either trying to visit a domain that clearly does not exist, like this link for example. You could also just use dig to search.

Example using DNS Advantage: manu@computer$ dig respect-mah-internetz.1 @156.154.70.1 ; <<>> DiG 9.8.1-P1 <<>> respect-mah-internetz.1 @156.154.70.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42094 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;respect-mah-internetz.1. IN A ;; ANSWER SECTION: respect-mah-internetz.1. 600 IN A 92.242.144.2 ;; Query time: 160 msec ;; SERVER: 156.154.70.1#53(156.154.70.1) ;; WHEN: Fri Oct 19 22:20:05 2012 ;; MSG SIZE rcvd: 80 As you can see, we get a status: NOERROR where we should have status: NXDOMAIN and the IP 92.242.144.2 belongs to Barefruit again. Others such as OpenDNS and Norton use their own IPs.

These DNS servers are so desperate they'll resolve anything that has a dot.

The only case for this to be acceptable is when a user explicitly chooses to use such a service and understands the implications. There may be some interesting positives uses, but certainly not done without your consent.

You can "opt-out" of these services they say, but here's the thing, DNS is such an important aspect of the Internet that messing with that is exactly the opposite of what we should be doing. It can lead to phishing, censorship and other malicious activities. Altering the content of communications is probably very illegal, and this is that.

comments:
avatar

Andrew

My ISP has recently started to do some dodgy stuff with non-existent domains. For example, when I do an nslookup for a domain which doesn't exist, I get redirected to their Google mirror:

nslookup thisisadomainwhichdoesntexist.com
Server: 10.0.0.1 Address: 10.0.0.1#53 Non-authoritative answer: Name: thisisadomainwhichdoesntexist.com Address: 202.76.170.228

I don't run JavaScript so it redirects me to a blank Google page. There is no opt-out, sadly.

Doing a bit of research, and I found this:
http://forums.whirlpool.net.au/archive/1975511

My ISP is apparently aware of what they are doing, but clearly don't care. Not a happy customer...
avatar

Andrew

^ Apologies for the additional whitespace in my last post, that wasn't meant to happen.
avatar

manu - http://manurevah.com

Hey Andrew, no problems. The extra whitespace in the code tag is my fault, I'll need to fix that some day, in the meantime I cleaned it up manually.

Thanks for your comment, I have to run but will most certainly checkout your link and further comment later.
avatar

manu - http://manurevah.com

I checked out your link (not without difficulty), some people mention that they don't just do this for A records. So far I've tested with OpenDNS, DNS Advantage and Norton, they all give proper NXDOMAIN errors when I query for an MX record except for Norton which returns no result yet claims the status is "NOERROR".

My ISP doesn't do this so I can only test this using publicly accessible 3rd party servers.

Andrew, if you have the time and courage you should file a complaint with your ISP stating that they are tempering with your data communications and/or impersonating TLD servers.

Meaning, when you ask for domain-that-really-doesnt-exist.com, the .com server replies "Doesn't exist, status: NXDOMAIN", at this point Eftel's resolvers (your ISP), which acts as a cache/relay server, alters the information.

You can confirm this by asking the .com servers yourself for this info:

This
dig domain-that-really-doesnt-exist.com @h.gtld-servers.net.

Should return "NXDOMAIN" and the query should stop there. What your ISP does is substitute that with their own result.
avatar

Andrew

Thanks for that info Manu. I got NXDOMAINs for both of those, so Eftel is certainly modifying those responses.

I'll complain and see how far I can get...
avatar

Raleigh D. Stout

Hey guys, thanks for the interesting discussion on DNS hijacking. I have been looking into DNS issues lately as I am using a hosts file and vet my entries by using nslookups and now I am more skeptical of the results. I noticed a lot of my results skewing to Barefruit Ltd which led me to here.

R
avatar

Daniel

I know this is an old post, I apologize

I'm currently with talktalk and i just found this blog, i was shocked when i heard about my ISP doing that although after quick search i find a way of opting out of TT redirect for anyone who has talktalk https://www.talktalk.co.uk/optout/index.php
avatar

S7eele

I can't believe I just found this. I didn't understand the implication of the new page Cox is sending me to if I enter a bad url but started noticing some sketchy (dodgy was already used:) things going on with my DNS. Glad the information was here, now I will go dig deeper into the issue to make sure I cannot be hijacked. Finally time for a VPN I suppose.
Leave a comment
You may use the following HTML tags: <p> <a> <strong> <b> <em> <i> <cite> <blockquote> <code> <pre>

Your comments WILL NOT be submitted to any third party (not even for anti spam verification).