Hacker Codex   Linux servers · Python development · MacOS tinkering

How to Stop Your ISP from Hijacking Your DNS Servers

Remember when Internet service providers began redirecting requests for non-existent domains to their own ad-filled pages? Turns out they’ve upped their game. Even if you’ve switched your DNS settings away from the servers provided by your ISP, some ISPs have still figured out a way to hijack the NXDOMAIN response. This quick tutorial shows how to put a stop to their latest shenanigans.

Back in 2009, many folks noticed that if they mistyped a web address and tried to visit a non-existent domain, instead of seeing the usual “Server not found” error message, they instead were served an ISP-branded search page filled with ads. This insidious new trend on the part of Comcast and other Internet service providers redirects requests for unresponsive servers and non-existent domains to their own ISP-branded, ad-laden search pages. These ISPs claim that users can opt out of the hijacking, but you’d have to perform the opt-out procedure on every browser and computer in your house, and even then the opt-out expires after a while, forcing you to hassle with it all over again each time the opt-out period expires. Understandably outraged, many customers of these ISPs responded by changing their DNS servers away from their ISP, instead using alternative domain name resolution servers provided by Google. Not only does this restore proper network behavior and eliminate the sleazy advertising, but utilizing alternate DNS servers also often provides faster browsing performance due to faster DNS lookups.

It turns out, however, that ditching your ISP’s DNS servers may not be enough. Recently, the same ISP DNS hijacking shenanigans have been observed even when DNS settings are explicitly configured to use non-ISP servers such as Google’s. (In fact, all tests below were performed with DNS servers set to 8.8.8.8 and 8.8.4.4.) How can you tell whether your ISP is interfering with your DNS? Easy:

$ ping nonexistentdomain.tld
PING nonexistentdomain.tld (184.106.15.239): 56 data bytes
64 bytes from 184.106.15.239: icmp_seq=0 ttl=236 time=1200.926 ms
64 bytes from 184.106.15.239: icmp_seq=1 ttl=236 time=71.050 ms
64 bytes from 184.106.15.239: icmp_seq=2 ttl=236 time=72.768 ms
[...]

Whoa, wait a minute. How is a non-existent server responding to pings, you ask? It isn’t. Your ISP is responding instead via a fake IP address. Lovely. Thanks for the value-added service, Time Warner! Sarcasm aside, at least now we know the primary IP address (184.106.15.239) that Time Warner is using to help break the Internet. Let’s find out if there are any other IP addresses we should know about:

$ nslookup nonexistentdomain.tld
Server:     192.168.1.1
Address:    192.168.1.1#53

Non-authoritative answer:
Name:   nonexistentdomain.tld
Address: 184.106.15.239
Name:   nonexistentdomain.tld
Address: 204.232.137.207

Great — we’ve just discovered another bogus IP address: 204.232.137.207. So what do we do with these two IP addresses?



If you have a router running DD-WRT or Tomato, then you are in luck, because most likely you’ll have a tool called Dnsmasq at your disposal. Assuming you have DD-WRT running on your router, the following configuration steps should make short work of the offending IP addresses and the meddling they represent:

  1. Visit your DD-WRT’s configuration page, often at http://192.168.1.1/
  2. Navigate to Services > Services > DNSMasq and make sure the “DNSMasq” radio button is enabled.
  3. Insert the following into the “Additional DNSMasq Options” textarea field:

(Be sure to replace the IP addresses with the offending digits proferred by your ISP.)

bogus-nxdomain=184.106.15.239
bogus-nxdomain=204.232.137.207

Last but not least, click the “Apply Settings” button at bottom. With the router configuration completed, let’s see if we notice any change in network behavior:

$ ping nonexistentdomain.tld
ping: cannot resolve nonexistentdomain.tld: Unknown host

$ nslookup nonexistentdomain.tld
Server:     192.168.1.1
Address:    192.168.1.1#53

** server cannot find nonexistentdomain.tld: NXDOMAIN

Success! That’s what’s supposed to happen when you query a domain that has no associated IP address. We have, once again, thwarted Big Telecom from breaking the Internet.

So what do you do if you don’t have Dnsmasq running on your router and can’t easily flash your router with DD-WRT or Tomato in order to get it? Most likely you’ll have to manually install and configure Dnsmasq on your computer, the details of which are well beyond the scope of this article. Aside from the added setup complexity, installing Dnsmasq on an individual computer won’t solve the problem for other computers you may have on your network. So this is really a problem that is best solved at the router level. If you don’t have the technical wherewithal to flash your router with DD-WRT or Tomato, Buffalo Technology makes a line of routers that come with DD-WRT pre-installed: (aff links)

Hopefully your ISP is a better net citizen than Comcast or Time Warner, but if not, now you have the tools to fight back. Tell us about your personal experiences: have you encountered this problem? If so, how did you solve it?