As I was getting ready to leave the office today, I started to google for a movie to go to with my wife tonight. I’d been testing sites in chrome and firefox all day, so without thinking I typed my search term into the firefox address bar. What I got back astounded me:
Yep. Instead of responding with NXDOMAIN as a good DNS resolver should, it redirected me to their ultra-spammy “search page.” I’m running debian, so the chances of there being a virus are pretty low, and some research confirmed my suspicions:
jbert@vps:~$ dig cinetopia ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> cinetopia ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14427 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cinetopia. IN A ;; ANSWER SECTION: cinetopia. 10 IN A 184.108.40.206 ;; Query time: 2 msec ;; SERVER: 220.127.116.11#53(18.104.22.168) ;; WHEN: Fri Jan 24 22:11:03 2014 ;; MSG SIZE rcvd: 43 jbert@vps:~$ cat /etc/resolv.conf nameserver 22.214.171.124
This has a few ramifications. First, I don’t blame them for wanting to monetize these servers. Everyone and their brother uses them for pings, DNS resolution, etc. — servers aren’t free and bandwidth isn’t free. So I get it. But, for one, I have no idea what else this page might or might not be doing. Is it setting third party tracking cookies? Tracking/bubbling my browser fingerprint? At the least it’s leaking, in clear text on the wire, things that I expected to be sent to an encypted DDG search. If there was sensitive search terms or information in that query, it just dropped into Level3’s logfiles. Additionally, I have a few scripts that rely on a nonexistent domain getting an NXDOMAIN response. They’ll now break.
So, be warned. One can no longer rely on 4.2.2.x DNS for RFC-compliant responses.
EDIT: On further testing, this does not appear to be happening from other locations. It’s also stopped happening from this VPS. It’s worth noting that this is not the first time I’ve noticed this, just the first time I’ve had the chance to grab some evidence and make a post about it.
EDIT 2: Looks like this isn’t the first time this has popped up. Here’s a link to a vpsboard.com thread from 11/2013 from a user who noticed the same thing: https://vpsboard.com/topic/2542-level3-public-dns-servers-search-engine-redirect/