DNS Hijacking via Barefruit Talktalk and Others

October 19 2012

Tags:

How malicious is your ISP ?

If they practice DNS hijacking then it's pretty damn messed up and should obviously be illegal. Yet for some reason there are ISPs that do this and have been getting away with this for years. Even stranger is that it's apparently tolerated, by clients as well as law.

Today I helped a friend who couldn't connect to his server, it turned out that the issue was because his ISP, TalkTalk, was returning the wrong IP address for his domain name ! TalkTalk's DNS said 92.242.132.16, obviously that's not the IP we were looking for.

I helped him change his DNS settings to use domain name resolvers that don't commit man-in-the-middle attacks. A recent similar attack on users was caused by the DNSChanger virus.

A 'whois' reveals the IP 92.242.132.16 is assigned to Barefruit.

inetnum:        92.242.130.0 - 92.242.132.255
netname:        BAREFRUIT-ERRORHANDLING
descr:          NU
country:        GB
org:            ORG-BL53-RIPE
admin-c:        PR42-RIPE
tech-c:         PR42-RIPE
status:         ASSIGNED PA
mnt-by:         CATALYST2-MNT
source:         RIPE # Filtered

Barefruit is a company that helps ISPs patch and break their DNS software (Bind, djdbdns, PowerDNS) to make sure they hijack user's DNS queries. Their solution substitutes NXDOMAIN (non-existant domain) replies with A records to an IP that hosts spam (non solicited advertising).

This is what Barefruit claims (source, their website): Using Barefruit for DNS and HTTP error resolution improves the user experience for the vast majority of Internet users by suggesting relevant alternatives as opposed to serving unintelligible error messages.

Because Barefruit thinks that "Server not found" or "This webpage is not available" is unintelligible... . If a person does not understand "This webpage is not available", how could they understand any other web page that contains words ? Or worse, how can they even understand that they mistyped the website's url ?

Their goal of course is good old user monetisation. Even error pages can generate revenue. They demonstrate having no shame as they write:

Barefruit has spent the past five years building strong and mutually beneficial relationships with our best-of-breed advertising partners, working together to provide useful results to our customers and generating the maximum revenue from ISPs' error pages.

I must point out that these pages are not "ISPs' error pages", they are "user's error pages".

Barefruit has a page on "Opt Out" which is even more ridiculous. Barefruit recognises that some people - mainly technically savvy advanced users, may wish to opt-out of this service. Besides the fact that it should be "Opt In" if anything, actually using the address bar has become something that "mainly technically savvy advanced users" only ever do. But mostly, how many people even understand the implications of this ? Every user who understands what's going on should want to opt-out. These ISPs are undoubtedly taking advantage of their customer's ignorance.

The damage list goes on. Not all services are HTTP based, so when you try to connect to a non-web server you don't even see the advert/spam pages. This can make it more difficult to figure why your application might be failing, but even worse, all traffic you might be trying to send to the server you were trying to reach is intercepted by Barefruit (they can take it or leave it, but they are technically intercepting it).

There is absolutely no good reason to accept this, unless you think it's a good idea for a phone company to redirect their customers to a cold caller when they misdial a phone number. It's exactly the same thing.

TalkTalk and Barefruit hijacking redirect users to their own web servers

It's not just TalkTalk who's doing this, there are many many more including Virgin Media. In fact I haven't (yet) found a full list of ISPs who hijack their client's DNS and redirect traffic to their own servers. A friend of mine showed me that Virgin Media also does this.

Some might react by thinking of using 3rd party DNS, why not, but beware, most of them do the same thing, like OpenDNS, DNS Advantage, Norton DNS and probably others. Google DNS does not hijack DNS so far, I believe they are smart enough to not do that and be satisfied with the data they gather.

You can test if your ISP does this by either trying to visit a domain that clearly does not exist, like this link for example. You could also just use dig to search.

Example using DNS Advantage: manu@computer$ dig respect-mah-internetz.1 @156.154.70.1 ; <<>> DiG 9.8.1-P1 <<>> respect-mah-internetz.1 @156.154.70.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42094 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;respect-mah-internetz.1. IN A ;; ANSWER SECTION: respect-mah-internetz.1. 600 IN A 92.242.144.2 ;; Query time: 160 msec ;; SERVER: 156.154.70.1#53(156.154.70.1) ;; WHEN: Fri Oct 19 22:20:05 2012 ;; MSG SIZE rcvd: 80 As you can see, we get a status: NOERROR where we should have status: NXDOMAIN and the IP 92.242.144.2 belongs to Barefruit again. Others such as OpenDNS and Norton use their own IPs.

These DNS servers are so desperate they'll resolve anything that has a dot.

The only case for this to be acceptable is when a user explicitly chooses to use such a service and understands the implications. There may be some interesting positives uses, but certainly not done without your consent.

You can "opt-out" of these services they say, but here's the thing, DNS is such an important aspect of the Internet that messing with that is exactly the opposite of what we should be doing. It can lead to phishing, censorship and other malicious activities. Altering the content of communications is probably very illegal, and this is that.