34

We own a primary domain:

  • businessdts.com

I didn't know if our admins had created a sub-domain I had requested, "BDASERVER.businessdts.com.", so I just tried to connect to it with a browser and got a "not found". Then I pinged that sub-domain and got an IP address that doesn't belong to us:

  • Pinging BDASERVER.businessdts.com [198.105.244.117] with 32 bytes of data
  • Our domain and all sub-domains should have an IP address of [173.203.24.209]

I had the admins check all of our DNS zones and we find no instance of the BDASERVER sub-domain, (the admins had not created it yet), nor did we find any instance of the 198.105.244.117 IP address.

Doing an IP lookup, we found that 198.105.244.117 belongs to a company called Search Guide Inc. (searchguideinc.com). They appear to be a domain broker of some kind.

Am I missing something:

  • How is this BDASERVER sub-domain resolving to a address that is not ours?
  • How does someone hijack a SUB-domain?
Glorfindel
  • 1,213
  • 3
  • 15
  • 22
CBruce
  • 465
  • 4
  • 7
  • 29
    What DNS servers are you using when you run this lookup? My lookup fails to resolve that name. This smells like NXDOMAIN hijacking to me. – joeqwerty Feb 23 '17 at 03:33
  • Our Name Servers are NS.RACKSPACE.COM and NS2.RACKSPACE.COM, @joeqwerty. When we get the BDASERVER and wildcard sub-domains set up, it looks like that will override the hijackers. The only way I found out about the issue was when I did a ping against the subdomain. – CBruce Feb 23 '17 at 18:05
  • 5
    Sorry, I should have clarified my comment. I was asking what DNS servers does your computer use for DNS resolution? Those are the name servers that are hijacking the NXDOMAIN response, not the name servers for your domain name. – joeqwerty Feb 23 '17 at 18:24

3 Answers3

63

There is no record for that subdomain:

$ dig BDASERVER.businessdts.com

; <<>> DiG 9.8.3-P1 <<>> BDASERVER.businessdts.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11871
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;BDASERVER.businessdts.com. IN  A

;; AUTHORITY SECTION:
businessdts.com.    300 IN  SOA ns.rackspace.com. hostmaster.rackspace.com. 1487794151 10800 3600 604800 300

;; Query time: 86 msec
;; SERVER: 192.168.64.1#53(192.168.64.1)
;; WHEN: Wed Feb 22 21:29:53 2017
;; MSG SIZE  rcvd: 103

It's likely that your ISP's DNS is doing what's referred to as NXDOMAIN hijacking, where they hijack NXDOMAIN DNS replies and instead of replying with a proper NXDOMAIN (as above), they give you the IP address of a "search" page, which typically gets advertisement revenue for them.

I'd talk with your ISP and ask that they stop interfering with your traffic. If they refuse, get a better ISP or use a different resolver for your traffic.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • 13
    Confirmed. [That IP address](https://ip.addr.space/198.105.244.117) is registered to Search Guide Inc, a known destination of NXDOMAIN hijacking. – Michael Hampton Feb 23 '17 at 03:38
  • And that's part of why registrars make so much from "defensive" registrations:( –  Feb 23 '17 at 03:40
  • So, if we go ahead and create the BDASERVER sub-domain in our DNS zone - will that supercede whatever the jerks are doing and work correctly for us? – CBruce Feb 23 '17 at 03:41
  • 2
    @CBruce Yep, it should. And then go and change your DNS resolver. :) – EEAA Feb 23 '17 at 03:41
  • @CBruce Well, depending on the TTL they faked into their manipulated response, it may take a while – Hagen von Eitzen Feb 23 '17 at 16:29
  • Using a different resolver sadly doesn't always stop bad ISPs from interfering. [DNSCrypt](https://dnscrypt.org/) is a good solution if the ISP is that bad. – nrolans Feb 23 '17 at 22:06
37

As the other guys here have suggested - this is a ISP norm actually. ATT does it to me as well. When the domain requested is not found, and the DNS records do not point to a default destination (you can set that up on your server that manages your DNS - more than likely you are using a standard registrar and they will manage your dns for you - just login to where you registered your domain name and click manage dns). You should add a "wildcard" redirect record. This way you will always point undefined traffic to a default webpage - or your index page of your main website. This also helps a lot if there are typos - you do not lose your traffic that way and customers or visitors are not punished by their ISP with abusive ads (I think there should be a class action against the ISPs for making ad revenue on us all - no?) Anyhow - here is a discussion on this topic you can read for more specifics. Default DNS settings

Bottom line - if you are managing your domain name and server - setup your default wildcards and you might want to also add some custom error pages to point your webserver to when someone requests a page that does not exist - add your logo and link back to your main site with a small site search script or something on it... it's so annoying to request a resource or html page from a website - even clicking on one of their links on another page on their site - and that ugly "400 Error" page comes up. So much a business can do to preserve the user experience by making sure to handle errors and keep their customers. I also recommend that you include a "REPORT BROKEN LINKS" in the modified error pages and perhaps with the default wildcard redirect landing page that can also include an automatic redirect to the index home page or other choice page if the visitor does not interact or otherwise.

I'm off topic now - but clearly - the OP needs to know a little more about what causes the ISP to be able to intercept the error... the DNS handler does not provide a useful response to the undefined subdomain requested because it is not there - so the ISP serves up a revenue generating page instead. Easy fix though!

GoZippy
  • 511
  • 3
  • 5
  • 27
    *"this is a ISP norm actually"* I suspect this depends heavily on locale. None of the ISPs I have used have done it (and if my current one started doing it, they would be hearing from me...). – user Feb 23 '17 at 10:13
  • 5
    In order to call this a "norm", this chould be a BCP or at least a *MAY* in the corresponding RFCs. I strongly doubt that. – Hagen von Eitzen Feb 23 '17 at 16:31
  • 7
    @HagenvonEitzen sadly, profit driven companies like ISPs (at least here in the US) care little about BCPs and RFCs and other standards. Thus, the real world norm can end up deviating very, very far from the published standards. – Doktor J Feb 23 '17 at 17:23
  • 4
    @DoktorJ In some sense, one might say that if they intentiously *break* RFCs, which are the loose de-facto standard of the Internet, what your service provider provides you with is not the Internet ... my 2c – Hagen von Eitzen Feb 23 '17 at 19:04
  • @HagenvonEitzen: That's a real stretch. – Lightness Races in Orbit Feb 23 '17 at 22:14
  • Well - it is at least the norm for Cox Communications, ATT and various Bell companies in the U.S. Major networks use the undefined traffic to their advantage - not dissimilar to that advice I offered above mind you - it is not the ISP's fault the host does not have wildcards configured. As a way of handling the request it serves up the page telling the user that the page is not found on the requested host - so it offers up what it thinks might help - in the form of revenue generating ads based on the url requested or other metrics the ISP thinks it can figure out... still - norm around here. – GoZippy Feb 23 '17 at 23:39
  • 6
    The ISP thinks returning fraudulent responses to DNS requests can help, but the person they think it can help is not the customer. – Jon Hanna Feb 24 '17 at 02:22
  • @GoZippy Mnd you, they interfere with DNS, so that has not the slightest to do with http content. And if those ISPs don't feel obliged to replace NXDOMAIN with their favourite alternative reply, why would you expect them to leave a positive reply from a wildcard RR as is? You might have a point when saying it's not the ISP's fault they do not use DNSSEC, though – Hagen von Eitzen Feb 25 '17 at 09:33
  • 3
    -1 because this is *not* an ISP "norm", it's bad bahaviour. And because adding DNS wildcards for this reason (or, usually, any other reason) is typically not a good idea. – Celada Feb 26 '17 at 02:45
  • 4
    @HagenvonEitzen (and @Celada): Many "norms" are often bad behaviour. In the sense used here, a norm is just something that is common. – ShreevatsaR Feb 26 '17 at 17:48
  • 1
    @Hagen Calada - geesh -1 just because you don't agree w/ a single word I used? "norm" that is abusive don't you think? OP accepted this answer. It is plainly written, not argumentative - though it does stray a little down a rabbit hole. I'd understand a -1 for that bit. Overall it answers the question and provides a resource to learn more about the matter as well as some real world advice from an expert (15+ years webhost, domain registrar, online marketing, programming). SO I will retract the "norm" but it is very common to say the least. – GoZippy Feb 27 '17 at 01:38
2

Someone points to a sub-domain, or any DNS entry for that matters, that doesn't exists by doing NXDOMAIN hijacking, which means greedy DNS owners will rewrite entries to point to ads-based pages.

There is a very simple answer to this: enable DNSSEC on your domain, which will prevent anyone from giving answer from another DNS (like your ISP).

Max Dor
  • 46
  • 2
  • 1
    This assumes the client validates DNSSEC _and_ the evil DNS server of the ISP won't be stripping DNSSEC records. A Strict-Transport-Security header with includeSubDomains may make more damage to the subdomain hijacker than adding DNSSEC. – Ángel Feb 26 '17 at 20:47
  • 1
    Full agreed - in this day and age, DNS is just plain insecure (why are we event using it...), no argument about modifying any DNS query. But stripping away DNSSEC records is a whole different level than simply hijacking a NXDOMAIN reply which ISPs might not just step to. – Max Dor Feb 26 '17 at 22:41
  • Yes this is very true. Heed this advice OP. – GoZippy Feb 27 '17 at 01:40