NNSquad - Network Neutrality Squad
[ NNSquad ] Re: More info on ISP DNS redirections
It may be worse than that. If the diversion is really through fabricated DNS responses, applications such as email could be at risk. V ----- Original Message ----- From: nnsquad-bounces+vint=google.com@nnsquad.org <nnsquad-bounces+vint=google.com@nnsquad.org> To: nnsquad@nnsquad.org <nnsquad@nnsquad.org> Cc: lauren@vortex.com <lauren@vortex.com> Sent: Fri Mar 14 20:30:44 2008 Subject: [ NNSquad ] More info on ISP DNS redirections I've received a number of replies to my request for more specific information regarding Verizon and Time Warner (RoadRunner) DNS redirections/diversions. Regarding Verizon (the forwarded message below best summarizes), it appears that while Verizon has apparently removed the redirection (to a Yahoo Search page) opt-out for their own routers supplied to customers, it is still possible for users with enough understanding of their systems to set their own recursive DNS server addresses. So, for example, those persons running their own BIND, or using services such as OpenDNS.org, reportedly can continue to do so without interference at this time. However, it appears that Verizon has purposely "raised the bar" to make it less likely that ordinary users will choose other than the Verizon-supplied Yahoo-diversion DNS servers. As for Time Warner/RoadRunner, I've received additional reports indicating that diversion (via a wildcard record) is occurring in other areas in addition to Southern California, but also that not all areas in Southern California are so configured currently. Indications so far are that the official RoadRunner opt-outs do work, and it appears that, as in the Verizon case, there is nothing currently stopping people from running their own BIND or directing their client systems to other DNS services. Frankly, I find default DNS diversion, even with opt-outs and available workarounds, to be distasteful and annoying at best, and a clear "camel's nose under the tent" in terms of potentially taking advantage of subscribers, especially those who are unlikely to know how to manipulate their own DNS settings. These cases don't rise to the obnoxiousness level of VeriSign's infamous "Site Finder" service, but seem to be another step toward pushing the envelope ever farther in the wrong direction. If ISPs wish to provide such DNS diversion services, they should be *opt-in* only. But we all know why they don't do that. --Lauren-- NNSquad Moderator ------- Forwarded Message From: Kelly Setzer <setzer@liquidchicken.org> To: Lauren Weinstein <lauren@vortex.com> Subject: Re: [ NNSquad ] DNS Interception by ISPs (was Verizon P2P discussion) Date: Fri, 14 Mar 2008 20:45:44 -0500 References: <200803141656.m2EGuCp4003802@chrome.vortex.com> Feel free to repost or reuse this as you see fit. I confirmed that the opt out feature was removed with Verizon tech support and residential sales on March 6th. They were unable to tell me when the opt out feature was removed. I know that it was not working after Thanksgiving of 2007. Previously, FIOS users had to modify their (Verizon supplied) router configuration to use alternate DNS servers that did not have the redirection feature. Now, it is not possible to do that because DHCP leases are short and are not renewable. In short, FIOS users *will* be assigned IP addresses in different subnets when their lease expires and will not be able to access Verizon DNS servers in another subnet. FIOS users are required to accept DHCP-assigned DNS servers on the router, all of which have the redirection feature. Supporting article: http://www.networkworld.com/news/2007/110907-verizon-redirects.html (The timing mentioned in the article matches my observations.) Verizon appears to have removed the FIOS-specific opt-out instructions from their support site. There are three other examples remaining: http://www22.verizon.com/ResidentialHelp/FiOSInternet/General%20Support/Getting%20Started/QuestionsOne/98552.htm http://www22.verizon.com/ResidentialHelp/FiOSInternet/Troubleshooting/Connection%20Issues/QuestionsOne/86294.htm http://www22.verizon.com/ResidentialHelp/FiOSInternet/Troubleshooting/Connection%20Issues/QuestionsOne/86295.htm Based on my discussion with residential sales, the behavior is the same for both DSL and FIOS customers. The only above-board solution is to get a statically-assigned IP address which is only available as part of the business class service. Based on pricing that I received from Business sales on March 6th or 7th, that costs approximately $94/ mo in the DFW Texas area. That is about twice the cost of residential FIOS service. I did not ask for the price difference for DSL service. The workaround is for FIOS/DSL customers to configure their own computer systems not to use their Verizon-supplied router as the local DNS server. I have a local instance of bind running on my Macintosh. Verizon does not appear to interfere with recursive resolution. My windows laptop also uses the Mac as a resolver. I have also tested using opendns.org as a DNS resolver and that works fine. Kelly On Mar 14, 2008, at 11:56 AM, Lauren Weinstein wrote: > OK, we need to get to the bottom of this. Last I heard, Verizon > allowed subscribers to opt-out of their DNS redirection service > through the rather cumbersome technique of manually changing > client DNS settings. Can we confirm that this is no longer the > case, and that regardless of client DNS settings users' DNS requests > are > routed to Verizon's "diversion" Yahoo Search DNS servers? If this > is indeed true, it is unacceptable, but we need the facts. > > There are also reports that Time Warner has started DNS > redirection on RoadRunner here in Southern California > ( http://slashdot.org/article.pl?sid=08/02/26/1741253 ), though > reportedly you can still change client DNS settings effectively, or > can opt-out of their various "value added" DNS services (including > what appears to be a default so-called "safe search" DNS lookup) via > this page at the moment: http://ww23.rr.com/prefs.php . > > Any additional info regarding related Time Warner DNS behavior > would also be appreciated. Thanks. > > --Lauren-- > NNSquad Moderator > > >> Kevin McArthur wrote: >>> Verizon does continue to set itself apart. >>> >>> The statement: >>> >>> "Pasko stressed, however, that Verizon wants to work with P2P >>> companies that are focusing on delivery of legitimate media, like >>> Pando -- not systems where anyone can upload anything, which usually >>> means lots of pirated material." >>> >>> does strike me as having the potential to run into neutrality >>> concerns >>> when the carriers begin picking winners and losers in the P2P >>> technology competition. As we all know, Bittorrent is open-source >>> (and >>> as a company, focused on legitimate media) while other solutions are >>> either closed source or subject to content controls, patents and >>> other >>> nonsense. I'd hate to see the carriers giving competitive >>> advantage to >>> one but not the other just based upon their ownership of the >>> gateway. >>> >> >> Verizon DSL and FIOS service already has one dark stain when it >> comes to >> neutrality. They have a feature called "DNS Assistant" which is >> designed to redirect web browsers to a Verizon/Yahoo search page in >> the >> event they type in a URL for which the hostname does not resolve. >> Verizon's DNS servers will reply with the IP addresses of their own >> search engine rather than returning a correct negative response. Up >> until a few months ago it was possible to opt out of the DNS >> Assistant >> service; however, the opt out capability has been removed. After >> talking to a number of sales, internal support, technical support, >> and >> engineering personnel at Verizon, it became apparent that the >> marketing >> department at Verizon initiated the policy change that led to the >> removal of the DNS Assistant opt out capability. >> >> The DNS Assistant service causes problems for VPN software, among >> other >> things. >> >> The message in both the Pando P2P announcment and the "DNS Assistant" >> change is that marketing trumps everything else. >> >> Kelly - --Apple-Mail-2--394921870 Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable <html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; = - -webkit-line-break: after-white-space; ">Feel free to repost or reuse = this as you see fit.<div><br = class=3D"webkit-block-placeholder"></div><div>I confirmed that the opt = out feature was removed with Verizon tech support and residential sales = on March 6th. They were unable to tell me when the opt out feature = was removed. I know that it was not working after Thanksgiving of = 2007. Previously, FIOS users had to modify their (Verizon = supplied) router configuration to use alternate DNS servers that did not = have the redirection feature. Now, it is not possible to do that = because DHCP leases are short and are not renewable. In short, = FIOS users *will* be assigned IP addresses in different subnets when = their lease expires and will not be able to access Verizon DNS servers = in another subnet. FIOS users are required to accept DHCP-assigned = DNS servers on the router, all of which have the redirection = feature.</div><div><br = class=3D"webkit-block-placeholder"></div><div>Supporting article: <a = href=3D"http://www.networkworld.com/news/2007/110907-verizon-redirects.htm= l">http://www.networkworld.com/news/2007/110907-verizon-redirects.html</a>= (The timing mentioned in the article matches my = observations.)</div><div><br></div><div>Verizon appears to have removed = the FIOS-specific opt-out instructions from their support site. = There are three other examples remaining:</div><div><br = class=3D"webkit-block-placeholder"></div><div><a = href=3D"http://www22.verizon.com/ResidentialHelp/FiOSInternet/General%20Su= pport/Getting%20Started/QuestionsOne/98552.htm">http://www22.verizon.com/R= esidentialHelp/FiOSInternet/General%20Support/Getting%20Started/QuestionsO= ne/98552.htm</a></div><div><br><a = href=3D"http://www22.verizon.com/ResidentialHelp/FiOSInternet/Troubleshoot= ing/Connection%20Issues/QuestionsOne/86294.htm">http://www22.verizon.com/R= esidentialHelp/FiOSInternet/Troubleshooting/Connection%20Issues/QuestionsO= ne/86294.htm</a><br><br><a = href=3D"http://www22.verizon.com/ResidentialHelp/FiOSInternet/Troubleshoot= ing/Connection%20Issues/QuestionsOne/86295.htm"></a></div><div><a = href=3D"http://www22.verizon.com/ResidentialHelp/FiOSInternet/Troubleshoot= ing/Connection%20Issues/QuestionsOne/86295.htm" style=3D"text-decoration: = none;"><font class=3D"Apple-style-span" = color=3D"#000000">http://www22.verizon.com/ResidentialHelp/FiOSInternet/Tr= oubleshooting/Connection%20Issues/QuestionsOne/86295.htm</font></a></div><= div><br class=3D"webkit-block-placeholder"></div><div><br = class=3D"webkit-block-placeholder"></div><div>Based on my discussion = with residential sales, the behavior is the same for both DSL and FIOS = customers. The only above-board solution is to get a = statically-assigned IP address which is only available as part of the = business class service. Based on pricing that I received from = Business sales on March 6th or 7th, that costs approximately $94/mo in = the DFW Texas area. That is about twice the cost of residential = FIOS service. I did not ask for the price difference for DSL = service.</div><div><br></div><div>The workaround is for FIOS/DSL = customers to configure their own computer systems not to use their = Verizon-supplied router as the local DNS server. I have a local = instance of bind running on my Macintosh. Verizon does not appear = to interfere with recursive resolution. My windows laptop also = uses the Mac as a resolver. I have also tested using opendns.org = as a DNS resolver and that works fine. </div><div><br = class=3D"webkit-block-placeholder"></div><div><br = class=3D"webkit-block-placeholder"></div><div>Kelly</div><div><br><div><di= v>On Mar 14, 2008, at 11:56 AM, Lauren Weinstein wrote:</div><br = class=3D"Apple-interchange-newline"><blockquote type=3D"cite">OK, we = need to get to the bottom of this. Last I heard, = Verizon<br>allowed subscribers to opt-out of their DNS redirection = service<br>through the rather cumbersome technique of manually changing = <br>client DNS settings. Can we confirm that this is no longer = the<br>case, and that regardless of client DNS settings users' DNS = requests are <br>routed to Verizon's "diversion" Yahoo Search DNS = servers? If this<br>is indeed true, it is unacceptable, but we = need the facts.<br><br>There are also reports that Time Warner has = started DNS<br>redirection on RoadRunner here in Southern = California<br>( <a = href=3D"http://slashdot.org/article.pl?sid=3D08/02/26/1741253";>http://slas= hdot.org/article.pl?sid=3D08/02/26/1741253</a> ), though<br>reportedly = you can still change client DNS settings effectively, or<br>can opt-out = of their various "value added" DNS services (including<br>what appears = to be a default so-called "safe search" DNS lookup) via<br>this page at = the moment: <a = href=3D"http://ww23.rr.com/prefs.php";>http://ww23.rr.com/prefs.php</a> = .<br><br>Any additional info regarding related Time Warner DNS = behavior<br>would also be appreciated. = Thanks.<br><br>--Lauren--<br>NNSquad = Moderator<br><br><br><blockquote type=3D"cite">Kevin McArthur = wrote:<br></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite">Verizon does continue to set itself = apart.<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite">The = statement:<br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite">"Pasko stressed, however, that = Verizon wants to work with P2P <br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite">companies that are focusing on = delivery of legitimate media, like = <br></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite">Pando -- not systems where anyone can upload anything, = which usually <br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite">means lots of pirated = material."<br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite">does strike me as having the = potential to run into neutrality concerns = <br></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite">when the carriers begin picking winners and losers in the = P2P <br></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite">technology competition. As we all know, Bittorrent is = open-source (and <br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite">as a company, focused on = legitimate media) while other solutions are = <br></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite">either closed source or subject to content controls, = patents and other <br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote type=3D"cite">nonsense. I'd hate to see the = carriers giving competitive advantage to = <br></blockquote></blockquote><blockquote type=3D"cite"><blockquote = type=3D"cite">one but not the other just based upon their ownership of = the gateway.<br></blockquote></blockquote><blockquote = type=3D"cite"><blockquote = type=3D"cite"><br></blockquote></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite">Verizon DSL and = FIOS service already has one dark stain when it comes to = <br></blockquote><blockquote type=3D"cite">neutrality. They have a = feature called "DNS Assistant" which is <br></blockquote><blockquote = type=3D"cite">designed to redirect web browsers to a Verizon/Yahoo = search page in the <br></blockquote><blockquote type=3D"cite">event they = type in a URL for which the hostname does not resolve. = <br></blockquote><blockquote type=3D"cite">Verizon's DNS servers = will reply with the IP addresses of their own = <br></blockquote><blockquote type=3D"cite">search engine rather than = returning a correct negative response. Up = <br></blockquote><blockquote type=3D"cite">until a few months ago it was = possible to opt out of the DNS Assistant <br></blockquote><blockquote = type=3D"cite">service; however, the opt out capability has been removed. = After <br></blockquote><blockquote type=3D"cite">talking to a = number of sales, internal support, technical support, and = <br></blockquote><blockquote type=3D"cite">engineering personnel at = Verizon, it became apparent that the marketing = <br></blockquote><blockquote type=3D"cite">department at Verizon = initiated the policy change that led to the <br></blockquote><blockquote = type=3D"cite">removal of the DNS Assistant opt out = capability.<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite">The DNS = Assistant service causes problems for VPN software, among other = <br></blockquote><blockquote = type=3D"cite">things.<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote type=3D"cite">The message in = both the Pando P2P announcment and the "DNS Assistant" = <br></blockquote><blockquote type=3D"cite">change is that marketing = trumps everything else.<br></blockquote><blockquote = type=3D"cite"><br></blockquote><blockquote = type=3D"cite">Kelly<br></blockquote></blockquote></div><br></div></body></= html>= - --Apple-Mail-2--394921870-- ------- End of Forwarded Message