How is my ISP DNS hijacking AFTER all these precautions?

2

In IE9 when I search for anything my ISP hijacks google search and I get this result.IE9 search ISP hijacked

To add complication to this I've already changed the default DNS servers (OpenDNS) months ago. This only happens in IE9; even after machine reboots and cache flushing.ipconfig info

I even have my router (dd-wrt) intercepting all requests for DNS and I am still getting this result.

I have all extensions disabled and there are no toolbars. This is IE9 from M$. This is not malware; it happens all machines with IE installed (even IE7/8).

user100059

Posted 2011-11-16T12:21:18.647

Reputation:

1Is this a vanilla IE9 or was it supplied by your ISP? – ChrisF – 2011-11-16T12:24:46.910

Do the intercepts work on dd-wrt too? Try installing for example Links and see if it works on the router. Also try some https sites, like https://duckduckgo.com/

– AndrejaKo – 2011-11-16T12:28:06.217

1No wonder he can hijack it because he's your Internet provider, so all your packets going out from your LAN pass through him. He can replace all your packets and reroute as he wishes. Are you sure this is not a malware actually? – m0skit0 – 2011-11-16T13:00:40.267

Sounds more malware/add-ons/spamware installed as part of your router 'setup'. If it turns out your ISP is changing your search results (read: stripping out the search providers logo's) then i'm sure they would be very interested to hear about it... ;) – HaydnWVN – 2011-11-16T13:59:40.460

Answers

2

My ISP was doing the hijacking even after all the precautions I had in-place because of a tool called PaxFire. This tool allows your ISP to intercept all of your traffic even your DNS traffic when you're not using your ISP's DNS servers. There are only two ways to disable it; contact your ISP and they'll disable it per your modem or; when you're greeted with the page scroll down to the bottom and click opt out.

user100059

Posted 2011-11-16T12:21:18.647

Reputation:

Wth, you mean there's no prevent it unless they *allow* you prevent it? – Pacerier – 2016-12-28T06:39:27.457

2

If this only happens in IE, then it is likely something in IE that is making this happen.

Check the Manage Add-ons in Internet Explorer Tools, and remove any Toolbars or Extensions, and Search Providers that you do not want.

By default there are no extensions or toolbars installed, and the only search provider is Bing. So everything else can go to get it back to vanilla.

Paul

Posted 2011-11-16T12:21:18.647

Reputation: 52 173

2Also check your proxy settings. – LawrenceC – 2011-11-16T12:52:54.027

This happened to me last year. It turned out to be a toolbar plugin that someone had installed in IE on my machine. – BBlake – 2011-11-16T14:15:06.340

Search providers? – Paul – 2011-11-16T23:54:12.157

1

I know this is my second answer, but it's a different theory.

It wouldn't be beyond possibility for the ISP to intercept port 53 traffic and re-route it to it's own DNS servers. There's not authentication performed with DNS.

Matthew Steeples

Posted 2011-11-16T12:21:18.647

Reputation: 2 130

Yes, but it doesn't fit the symptoms of "IE only". It would be quite difficult to do this at the ISP for only IE, as the original DNS query would not indicate the browser being used. You could redirect once the user-agent was seen, but that doesn't fit the behaviour described. – Paul – 2011-11-16T22:28:17.990

1

Boot off of a Linux live CD and see if the issue persists. That will for sure eliminates the operating system entirely. You can use the nslookup command in Linux.

If you are indeed hijacked, try calling your ISP and see if you can opt-out of this in any way.

If you are stuck, you can access DNS over Tor. Works great (if but a little slow) but defintely not for the fainthearted. Not sure how to get it to work under Windows but if you have an old computer and can slap Linux on it that might be your best bet.

LawrenceC

Posted 2011-11-16T12:21:18.647

Reputation: 63 487

DNS over Tor's a great idea. – Pacerier – 2016-12-28T06:39:58.997

0

To check if this is a DNS issue or an IE issue you can run the following command in powershell:

nslookup asdf.

As you're using OpenDNS the result should be:

Non-authoritative answer:
Name:    asdf
Address:  67.215.77.132

For any other DNS server it should be 

*** dnsserver can't find asdf.: Non-existent domain

You could also try it in a different browser such as Portable Firefox (which won't have any add-ons by default)

Matthew Steeples

Posted 2011-11-16T12:21:18.647

Reputation: 2 130

This isn't really search or Google request hijacking - this is what happens with your particular ISP when you send a request that doesn't actually resolve to anything. (Like, "Hey ISP's DNS Server! Resolve asdf!" <uhh, okay? what the he.. here, have a search thing.>) – Dustin Howett – 2011-11-17T01:37:44.133

(You are probably falling through the other nameserver entries on your system because they are just bailing on your malformed input. The IE address bar is not a search bar - other browsers will just hit Google for DNS resolution failures.) – Dustin Howett – 2011-11-17T01:39:02.450

0

If this only happens in IE9, why do you think it your ISP?

Can you check your search provider list? (ie Tools/Manage Addons/Search providers).

Each of them has a option 'Search in the address bar'. If this is ticked and you type adsf in the address, since it is not a valid website address, it will send this to the search engine and presumably go to the first search engine listed which (given your symptoms) is probably one provided/brand by your ISP

sgmoore

Posted 2011-11-16T12:21:18.647

Reputation: 5 961

Asked: 2011-11-16T12:21:18.647

Viewed: 1 844 times

Active: 2013-02-03T01:04:01.177