dslreports logo
 story category
ISP Error Opens Security Holes in Web
Those annoying DNS redirection services pose security risk

A money-generating trend that has cropped up in the last year is for ISPs to use DNS redirection services to replace the old “page not found” error sites with sites full of advertising. This has been controversial in the past because it’s irksome to users who are running apps and tools that require a “clean” connection. But it turns out that the issue may be more than just annoying; recent reports say that these pages cause vulnerabilities for the web in the form of security holes accessible by hackers.

The problem came to the attention of the media when it was revealed that Earthlink’s DNS redirection (through a service called Barefruit) had a bug that “may have allowed attackers to launch undetectable phishing attacks against any Internet site”. That bug has now been fixed but the problem remains an area of concern because so many different ISPs are using similar services.

view:
topics flat nest 

newview
Ex .. Ex .. Exactly
Premium Member
join:2001-10-01
Parsonsburg, MD

1 recommendation

newview

Premium Member

Once again . . .

greed places users at a security risk.

Robert
Premium Member
join:2001-08-25
Miami, FL

1 edit

Robert

Premium Member

OpenDNS..

If the reports are legit, then this makes OpenDNS unsafe and hazardous to its users, since it also employs a DNS Redirection service in place of the old "page not found" errors.

FFH5
Premium Member
join:2002-03-03
Tavistock NJ

1 edit

FFH5

Premium Member

Re: OpenDNS..

said by Robert:

If the reports are legit, then this makes OpenDNS unsafe and hazardous to its users, since it also employs a DNS Redirection service in place of the old "page not found" errors.
But they don't make the page look like the original site. They identify that it is Opendns and not the ISPs or paypal or amazon, etc.

»blog.wired.com/27bstroke ··· age.html
Anyone can also use OpenDNS, a start-up that also provides ad pages on domains that don't resolve, but does so without pretending to be the other site.
And since ANY web site can be hacked, a vulnerability still exists, but one no different than if amazon or paypal itself had been hacked.

nohelpWA
join:2001-12-06
Milton, FL

nohelpWA to Robert

Member

to Robert
I too use OpenDNS so I did some searching:

This is a quote from an article posted on April 7, 2008
»www.networkworld.com/new ··· can.html

"On Tuesday, OpenDNS will offer users of its free service a way to prevent this type of attack, and the company will also set up a Web site that will use Kaminsky's techniques to give users a way to change the passwords of vulnerable routers."

I will be checking on this.

FFH5
Premium Member
join:2002-03-03
Tavistock NJ

FFH5

Premium Member

Re: OpenDNS..

said by nohelpWA:

I too use OpenDNS so I did some searching:

This is a quote from an article posted on April 7, 2008
»www.networkworld.com/new ··· can.html

"On Tuesday, OpenDNS will offer users of its free service a way to prevent this type of attack, and the company will also set up a Web site that will use Kaminsky's techniques to give users a way to change the passwords of vulnerable routers."

I will be checking on this.
You can get details on this new feature at Opendns and how to use it here:
»blog.opendns.com/2008/04 ··· attacks/

nohelpWA
join:2001-12-06
Milton, FL

nohelpWA

Member

Re: OpenDNS..

TK,
Thanks for the link!

koma3504
Advocate
Premium Member
join:2004-06-22
Granbury, TX

koma3504

Premium Member

ISP Error Opens Security Holes in Web

just one more reason the ISP'S should not be allowed to break DNS. Or modify pages. or forge packets.
And it should be made LAW and fined accordingly when caught doing so.

AnonymousDolphin
@comcast.net

AnonymousDolphin

Anon

Use Firefox

Why not just use Firefox, with Adblock, Flashblock and Noscript extensions installed? That takes care of the great majority of security attacks from websites, since they can't really display anything that's dangerous.
CWO
join:2005-02-24
Chicago, IL

CWO

Member

Re: Use Firefox

Because this is about DNS vulnerabilities and Firefox just like every other program that accesses the internet uses DNS to resolve names to addresses.

cowboyro
Premium Member
join:2000-10-11
CT

cowboyro to AnonymousDolphin

Premium Member

to AnonymousDolphin
said by AnonymousDolphin :

Why not just use Firefox, with Adblock, Flashblock and Noscript extensions installed? That takes care of the great majority of security attacks from websites, since they can't really display anything that's dangerous.
...then why not go back to text-only browsing??? Disabling add-ons is just a band-aid, the real solution is re-writing the software from ground-up with security in mind.

ThoughT2010
@sonotechnique.ca

ThoughT2010

Anon

DNS Redirection

Users CAN change their DNS manually to some other ISP's DNS server though, if my ISP used this type of DNS redirection I would switch my servers to another ISP's.

this redirection is more of an annoyance than a security threat.

for those who don't know how to handle ads and suspicious pages they're screwed already because they're bound to find other non-safe sites on the web, unlike the redirection which is safe in comparison.

for those like us, its just an annoyance because we make a typo in an address and then think some company bought the domain, a domain exists when it shouldn't, or my computer has been infected to redirect invalid addresses.