Level 3 are now hijacking failed DNS requests for ad revenue on 4.2.2.x

As I was getting ready to leave the office today, I started to google for a movie to go to with my wife tonight. I’d been testing sites in chrome and firefox all day, so without thinking I typed my search term into the firefox address bar. What I got back astounded me:

Level 3 Hijack page

Yep. Instead of responding with NXDOMAIN as a good DNS resolver should, it redirected me to their ultra-spammy “search page.” I’m running debian, so the chances of there being a virus are pretty low, and some research confirmed my suspicions:

jbert@vps:~$ dig cinetopia

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> cinetopia
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14427
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cinetopia.         IN  A

;; ANSWER SECTION:
cinetopia.      10  IN  A   198.105.254.11

;; Query time: 2 msec
;; SERVER: 4.2.2.3#53(4.2.2.3)
;; WHEN: Fri Jan 24 22:11:03 2014
;; MSG SIZE  rcvd: 43

jbert@vps:~$ cat /etc/resolv.conf
nameserver 4.2.2.3

This has a few ramifications. First, I don’t blame them for wanting to monetize these servers. Everyone and their brother uses them for pings, DNS resolution, etc. — servers aren’t free and bandwidth isn’t free. So I get it. But, for one, I have no idea what else this page might or might not be doing. Is it setting third party tracking cookies? Tracking/bubbling my browser fingerprint? At the least it’s leaking, in clear text on the wire, things that I expected to be sent to an encypted DDG search. If there was sensitive search terms or information in that query, it just dropped into Level3’s logfiles. Additionally, I have a few scripts that rely on a nonexistent domain getting an NXDOMAIN response. They’ll now break.

So, be warned. One can no longer rely on 4.2.2.x DNS for RFC-compliant responses.

EDIT: On further testing, this does not appear to be happening from other locations. It’s also stopped happening from this VPS. It’s worth noting that this is not the first time I’ve noticed this, just the first time I’ve had the chance to grab some evidence and make a post about it.

EDIT 2: Looks like this isn’t the first time this has popped up. Here’s a link to a vpsboard.com thread from 11/2013 from a user who noticed the same thing: https://vpsboard.com/topic/2542-level3-public-dns-servers-search-engine-redirect/

  • wedtm

    I also use Level3 DNS and I also live in the PNW (cinetopia). This just started happening to me a few weeks ago. Perhaps it’s geographically located?

  • AnonymousMax

    Rogers has been doing this in Canada for years now,..

    • Joseph McCarron

      I remember my parents’ ISP in Minnesota doing this for probably the past ten years too. I really don’t think it is all that surprising, though certainly a questionable and annoying practice.

      • Nik

        Paul Bunyan Comms?

  • fokat

    To “rely on a nonexistent domain getting an NXDOMAIN response” is kind of dangerous. Think about the new gTLDs being deployed gradually — Who would have thought that imtoo.sexy could someday become a real domain name!

    • raimue

      Think of a download link you get somewhere, but the domain is no longer registered. Now you put that URL into your download manager (i.e. not opening it in your browser). The download will work just fine, but instead of the file you wanted you only saved an HTML page showing these search results. It’s just annoying.

      • riking

        For an example of how that could actually happen, someone posts a link to a supposed linux script that will fix the issue your server’s having, so you wget the script to open it in a text editor. Oops, you’ve got HTML instead! Hahaha!

    • Sven Slootweg

      Dangerous? It’s how the protocol is supposed to work!

  • http://bsmartt13.github.com/ Bill Smartt

    Did anyone notice the ‘disable this service’ link in the top right of the screenshot?

    • Justizin

      It would be interesting to see what that leads to. OpenDNS does the same, but allows you to claim yourself as the owner of an IP address or range and disable it. It uses the same technology to provide internet filtering.

  • http://www.geeknik.com/ geeknik

    People having been using and abusing these resolvers for years so I’m surprised it took them this long. I don’t understand people getting upset over it. If you don’t like it, setup your own resolvers, but make sure to leave them open to the internet so we can all use and abuse them. ;)

    • Matt Nordhoff

      That’s funny, but seriously, don’t do that. Running public DNS resolvers isn’t a game. Go ahead if you want to, but make damn sure you’ve secured them against amplification attacks.

      • http://www.geeknik.com/ geeknik

        Yeah, I was being facetious. I was a sys admin @ OpenDNS for a few years, I know all about running public DNS servers..

        • Matt Nordhoff

          <3

  • Pingback: Level 3 are now hijacking some failed DNS requests for ad revenue on 4.2.2.x | BRYAN LENETT OFFICIAL WEBSITE - BryanLenett.com

  • scott

    It’s not hijacking if the pilot decides to fly somewhere else and you haven’t paid for a ticket on this flight. Are you frustrated that a service you do not have permission to use has changed? Have you asked your Level3 account rep about it?

    • Greg

      That analogy isn’t even on the same continent, much less anywhere near the ballpark. If you try to resolve “skebfsakjdbfkasjd.com”, it should not resolve because the name has not been registered. Level3 is not cooperating with the rest of the Internet and should be punished for it.

      • scott

        One way to “punish” them is to not use their free service. This is akin to complaining that Yahoo uses too much purple.. go elsewhere with your queries, setup your own resolver. Level 3 doesn’t owe you, or james, anything. Neither of you pay them for the service you’re receiving. sigh.

        • Matt Lyons

          Apparently skebfsakjdbfkasjd.com is now registered and parked…
          Do people really crawl comments for domains and park them?

          • Mike

            This is hilarious.

          • Greg

            That’s hilarious. Let’s try a few more. If this works, I’m going to start running numerous random domain generators. jdsahfkdsj98hrihf.com asdfusaudhf84g7wgiy7g.com asjfhsjdfuuwbwahahaha.com imaeedjitdomainsqwatter.com

        • trlkly

          I really wish people would stop making this fallacious argument. Just because you do something for free doesn’t mean you have carte blanche to do what you want. I could dump manure on your doorstep for free–would you not have the right to complain?

          It would be one thing if they told you what they were doing and then gave you the choice not to use them. But they don’t, as before this blog post, your only way to know about this was to enter a faulty URL. No company has the right to scrape your data without your permission, even if that service is free. In fact, rarely does the fact that money is or is not involved change whether an action is right or wrong.

          Think about this: what if it were definitely not benign? What if James was reporting that the DNS was being used to send people to phishing sites? Would that still be okay, since they aren’t charging you for it? Would you really go on about how people aren’t entitled to not be scammed? What you are owed has little to do with what is right or wrong.

          BTW, don’t forget that this is an open DNS–it does not check for passwords or IP origin or anything. It isn’t hidden behind a NAT for level3 people only. That means that anyone using level3 would be getting the same response. And they wouldn’t be using the service for free.

          • David Conrad

            That isn’t necessarily true. For all we know, it could check IP origin and only do this to people who are coming from outside level3’s network.

        • Greg

          You do not understand how ISPs or DNS works. If you are a Level3 customer, you are purchasing Internet service and DNS service from them, just as if you rent a car from Hertz, you are purchasing use of their and the ability to see through the front windshield from them. If Hertz gives you a car that replaces what you are seeing through the front windshield with an advertisement every time you hit the brakes, they are not giving you what you paid for. Similarly, if Level3 replaces a host lookup that you make to a nonexistent domain with their own IP address, they are not providing the DNS service that you paid for.

  • Pingback: Level 3 are now hijacking some failed DNS requests for ad revenue on 4.2.2.x | My Blog

  • Bob

    Earthlink does this as well.

  • http://blog.chris-mcgrath.com Chris McGrath

    you could always change your dns provider

  • Pingback: DNS Internet | Level 3 are now hijacking failed DNS requests for ad revenue on 4.2 …

  • Alex

    It is not a result of DNS hijacking, that your search term went over the wire unencrypted. If you send them as a DNS request because you are not aware of the browser you are using, it is basically your fault, isn’t it? – But you are right in principle: DNS hijacking is evil!

  • RKane

    The problem we are having is that when we do a nslookup using 4.2.2.2 to one of our company web sites, it comes back right the first time, and the next time it comes up with a bogus name and 2 IP addresses for the Level3 search pages. We host our own DNS records so it works fine for us, but other people who use the Level3 DNS might not be able to get to our site if they are redirecting potential customers to their sites. Its like if I were to put up a few public DNS servers with bogus records for msn, google, yahoo, etc…, it could cause delays getting to their sites. This action could even be considered illegal when customers are being redirected rather than receiving a proper NXDOMAIN reply as per RFC 1034 – IETF.