- Web pages replaced with ISP's pages / adverts.
- Failure to find/connect to expected resources.
- Monitoring/tests of services that are down shows them as being up / responding to HTTP or ICMP pings.
- Issues particularly common when using VPN.
- Disable it here: https://preferences.webaddresshelp.bt.com/selfcare/preferences.cgi
- Their documentation: https://preferences.webaddresshelp.bt.com/selfcare/
I've not yet found a working fix for this, but in theory the below should work:
- Disable it here: https://www.talktalk.co.uk/optout/ then restart your router. NB: Doesn't work for most users.
- Contact support: https://community.talktalk.co.uk/ - select the chat option in the bottom right and say "I'd like to opt-out of TalkTalk's Error Replacement Service". There's also an 0345 number; but that's like tipping someone for giving you bad service.
- Disable it here: https://my.virginmedia.com/advancederrorsearch/ (say "No" to using the "advaned network error search"). NB: Doesn't work for most users.
- Community forum: https://community.virginmedia.com/t5/QuickStart-set-up-and/Advanced-Network-Error-Search-ANES-opt-out-resolved/td-p/3455147 - if the official link doesn't work (as often seems to be the case) the Virgin Media support team can fix things here.
- Their documentation: https://www.virginmedia.com/help/advanced-network-error-search (do not call the 0345 number; it's 12p per minute so you're paying them for a problem they created)
- BareFruit now advise how to opt-out where ISPs don't provide a method. Here's their own documentation.
ISPs do this for money, even though you're a paying customer and this damages your service. The line they give is "rather than an unhelpful error message, we help you find something you're after" (paraphrased). What they mean is "instead of reporting an error so your system can handle it, we direct you to a site that pays us to send you their way, and we pass on all the information that you'd been sending to the site you requested to a company you don't know, who do god knows what with it".
- I request server: myServer
- This is not an FQDN, so my computer appends my primary DNS suffix: myServer.myPrimaryDnsSuffix.com
- My computer then sends a DNS lookup request. This is not a valid name (since this server is on a different domain, so its FQDN is myServer.myOtherDnsSuffix.com). As such, the DNS server returns an NXDOMAIN ("non existnant domain" / no joy)
- My ISP sees the NXDOMAIN response and replaces it with an A Record response pointing at BareFruit's (or whoever's) IP (which were I using a web browser would directs my HTTP traffic at their advertising pages).
- When my computer sees the A record returned it believes the lookup to be successful, so doesn't work through the rest of my DNS Search Suffix list (i.e. doesn't try to lookup myServer.myOtherDnsSuffix.com), so doesn't find the correct IP
These issues are most often seen on VPN since you're looking for items in a private DNS that the ISP won't be aware of.
Accessing by IP or FQDN circumvents this issue. The problem with using IP (aside from inconvenience) is that many SSL certificates only include the FQDN in their SAN list; not the IP; so when the browser compares the IP with the certificate's details, it will show a warning. Generally using FQDN should be OK - but if there are any links in pages which don't use the FQDN, those will have problems (i.e. since the user can't amend the site's internal content). For those it's best that the site owners ensure they always use FQDNs rather than netbios names when sending content to the client.
In my opinion it should be; you're paying for a service and not receiving it. However it could be argued that the law doesn't say that communication standards have to be followed, and likely the ISPs legal teams have put something in the small print that you've agreed to, so it may be hard to word a law to cover this that wouldn't then risk opening the innocent to litigation. Also, I have no legal knowledge.
Yes. DNS Hijacking doesn't mean that you're actually being attacked by someone malicious; this is all above board and there are contracts in place between your ISP and BareFruit (or potentially other vendors doing the same). However, once your DNS request fails and you're given the false IP, all communication from your client to what it believes to be the correct resource is then sent to BareFruit's servers. In theory, they can get a lot of information from you. This is one reason why SSL certificates are important; they give your client a way to validate that the resource is what it claims to be. Also, BareFruit don't really care about you; you're not their customer; so they have no reason to protect you beyond basic legal / contractual requirements. As such, who's to say a malicious hacker couldn't exploit their systems / they've just added another potential vulnerability to the list...
Please comment on this GIST. My aim with this is to provide a single resource where anyone with this issue can find the solution for their ISP.
Note: BareFruit provide the following advice: BareFruit Opt Out. Basically, change your DNS server from your ISPs to an alternative. The CloudFlare 1.1.1.1
DNS service is a good, free option: More Info.
By introducing this feature and enabling it by default your ISP is providing you with an unfit for purpose service.
I personally recommend switching to Zen: https://www.zen.co.uk/, though do your research before making any decisions.
- https://www.uswitch.com/broadband/postcode_checker/ - see which providers are available in your area / what to expect of them
- https://www.which.co.uk/reviews/broadband-deals/ - thorough comparison of providers/current offers (NB: the most useful info is behind a pay wall)
- Notes on how a US user got around their issues with
Comcast
andTime Warner
: How to Stop ISP DNS Server Hijacking
I've heard rumours that Plus.Net may be doing this. I can't find confirmation of this. Looking around I found an opt-out page for something called "direct marketing", but it's unclear if that's DNS Hijacking, or some other marketing preference. Should it help others sharing here: http://www.plus.net/dm/optout/ - but not included in the gist as it's not yet verified.