Things got off to a good start with Time Warner Cable’s Road Runner service. I switched over recently when it became clear that Fairpoint cannot or will not maintain its infrastructure. The Time Warner kit showed up, I plugged everything in, my new digital phone and Internet services worked right out of the box. Nice!
There was just one annoying glitch. My searches kept getting redirected to dnssearch.rr.com. So for example, if the search term was “Jon Udell”, I’d land here. The landing page poses the question “Why am I here?” and answers thusly:
You entered an unknown web address that was used to present site suggestions that you may find useful. Clicking any of these suggestions provides you with search results, which may include relevant sponsored links.
If this service is not right for you, please visit your Preferences page to opt out. At any point in time, you can opt back in to the service by visiting your Preferences page.
You might wonder why search would trigger this hijacking. I looked into it and found that my DoubleSearch search provider, which queries Google and Bing side-by-side, reveals an odd Road Runner quirk. When I use it on a Road Runner connection, the Google search works normally but the Bing search gets hijacked. This wouldn’t happen normally, but it turns out that I never updated the DoubleSearch provider when search.live.com was redirected to search.bing.com. So when the provider invokes this URL:
http://search.live.com/results.aspx?q=”Jon Udell”
I should be redirected to:
http://search.bing.com/results.aspx?q=”Jon Udell”
But instead, Road Runner sends me to:
http://dnssearch.rr.com/?q=”Jon Udell”
Evidently you don’t need to fail a DNS lookup outright to trigger the hijacking. It even happens when your first destination redirects you to a second.
When I went to the Preferences page to end this interference I found not one but three “services”:
- Web Address Error Redirect Service
- Typo Correction Service
- Safe Search Filter
As others before me have discovered, the first of these — the “non-existing domain landing service,” aka DNS hijacking — is enabled by default. That rubs me the wrong way. I don’t want Time Warner Cable hijacking DNS lookups at all. Doing it in a way that involves “relevant sponsored links” is even worse. And triggering on a redirect instead of an outright failed lookup is just plain weird. But OK, it’s a setting, I can disable it once, and then forget about it, right?
Wrong. It turns out that to “disable” the “service” doesn’t mean ending the hijacking for my local network. Instead it means dropping a cookie into whichever browser I happen to be using at the time. This fails to address the various problems detailed on Wikipedia’s DNS Hijacking page.
So I called Time Warner to ask them if they will implement the setting correctly. Unlikely, but it never hurts to ask. Things got off to a really bad start with the first support agent, Kerwin, though.
Me: Your Web Address Error Redirect Service is creating a problem and I’d like to see if we can resolve it.
Kerwin: Where are you being redirected to? It sounds like your computer is infected with a virus, so…
Me: Hold it right there, pal. Let me speak with your supervisor.
After some backpedaling, during which I learned that Kerwin didn’t even know what DNS hijacking is, never mind that Road Runner does it, I connected with Bill at level two support. I told Bill to take Kerwin out to the woodshed for a spanking, and explained the situation again. Bill, who says he’s worked at Time Warner for 8 years, also claims not to know that this “service” exists on his company’s network.
I am waiting (but not really expecting) to hear back from somebody at level three. Meanwhile I just had to get this rant off my chest. If you hijack my network pipe, I’ll be annoyed. If you make it hard for me to stop you from doing that, I’ll be angry. But if you blame me for creating a problem you claim not to know about or understand, I’ll go ballistic.
September 13, 2010 at 3:24 pm
I’ve had some big disappointments with TWC as well. For instance, rather than contact the account holder (who they send bills to) to let them know their computer may be infected with a virus and they need to remediate the problem or suffer having their network access blocked, they simply took us off the network one day. I came home to no network, spent many minutes powering down and powering up the Cable Modem, the router/access point, etc. All to no avail finally ending in me calling. And then I had the same kind of run around where nobody knew why we didn’t have access to the network. The first time I called, I got dropped because I was calling on our hardline through TWC and they had to reset the modem remotely. Guess what genius, that dropped the call too. So I had to call back got another guy who couldn’t tell me why the network was not working, got put on hold, transferred, and got a voice mail message! I called back again, this time they successfully got me to a level 2 support guy (but I was on hold for 15 minutes). The level 2 guy finally figures out what’s going on and explains one of our computers is suspected of being infected and our network access was blocked. And to add insult to the injury, he made some kind of comment that he could temporarily turn it back on if I promised not to let that computer back on the network while I worked on it. And so I promised and he said, usually they require all TWC customers who have been blocked to provide a copy of a receipt from a computer maintenance outfit showing proof that the computer was ‘brought in’ and ‘cleaned’. Some how you must fax this to them (because it certainly will be impossible to do through SMTP and the TWC provided network which is being blocked). Which leads me to believe I could forge a receipt and easily get back on the network. TWC is the amateur hour writ large.
September 13, 2010 at 4:11 pm
Jon,
do you perhaps have enough configuration control over the Roadrunner gateway/router box to change the DNS servers used? If you switch to Google’s public servers (8.8.8.8 and 8.8.4.4, IIRC), I believe they do _not_ hijack.
September 13, 2010 at 4:52 pm
This is Sandvine’s “technology.”
It’s more than just DNS hijacking, they are proxying HTTP requests too it looks like, though I’m not 100% sure. I think that’s how they inspect the URL to see if they should redirect it or not.
September 13, 2010 at 9:29 pm
Paradigm: I agree it does — or did — look that way.
Ken: Yes, the modem is theirs but the router is mine. While trying your suggestion I noticed that I cannot now reproduce the original behavior. It’s almost as if somebody read this and responded silently, though somehow I really doubt that.
September 14, 2010 at 1:26 pm
I’ll emphatically second Ken’s suggestion to use the Google Public DNS servers. I was originally skeptical about giving Google access to a new source of information about the websites I’m visiting but it seems now that ISPs are doing much more sketchy things than just recording my DNS lookups. And at least Google is subject to enough public scrutiny that if they start hijacking or messing with the results, it’ll draw a big public outcry.
On the other hand, if they were in fact mucking around with the HTTP stream, changing your DNS provider wouldn’t help. That’s an awfully big ‘if’, though — since presumably you hadn’t configured your browser to use a TWC proxy, so they’d have to be intercepting the HTTP packets, reassembling the response, processing it, modifying it, and re-sending the modified response, all at wire speed.
You didn’t run any kind of disc they sent you with the self-install kit, did you?
September 14, 2010 at 1:46 pm
“You didn’t run any kind of disc they sent you with the self-install kit, did you?”
No.
September 14, 2010 at 2:36 pm
If anything is sorely needed with Net Neutrality it is precisely this – meddling with the customer HTTP request and its standard operation (like the valid redirect) must be, IMHO, an OPT IN thing – TWC must have to actually sell you on this and give you something in return (and also let you revert at any point if you so wish).
Jon is not an average person – he knows a thing or two about how the network works. 99% of the others will not get the service they choose and will not even know about it.
@Jon – you do have a much wider audience than most of us and you obviously do care about this issue. Let your voice be heard!
Dror
September 14, 2010 at 3:39 pm
Well at this point somebody else might need to document the behavior I was seeing, because I’m not seeing it now. If I disable or enable the service in one browser, the cookie I was seeing before isn’t created or deleted. Meanwhile a different browser sees the change.
Although nobody from Time-Warner has responded to me, the system really is acting as if they heard and acquiesced to my request.
It would interesting to replay all this on a new TWC installation.
September 14, 2010 at 8:13 pm
Went through similar rigamarole today with Bright House after getting opted back into the program after opting out when it was first implemented in 2006 (?).
They ended up blaming me and my OS X machines for their DNS hijacking and recommended I call Apple. After I reiterated that it was their hijacking at fault, the support agent stranded me on hold for 40 minutes after which point I gave up.
Received a bunch of email spam from them this evening with links to “useful” articles with wonderful titles like “CA Internet Security Suite – CA Anti-Virus”, “Removing ActiveX Controls and Java Applets”, and “Abuse Reporting: Child Porn Complaints”.
Not a happy customer. Considering calling back later this week and escalating higher (which the real threat of changing ISPs).
September 16, 2010 at 4:54 pm
Tonight I heard back from a (presumably level 3) TWC person.
Q: Is opt-in the default?
A: Yes.
Q: Why?
A: Don’t know.
Q: Why was opt-out only per-browser rather than local-network-wide?
A: I think it is local-network-wide.
Q: If so, why drop a cookie into the browser that requests the opt-out?
A: Don’t know.
Q: And why didn’t the opt-outs stick until I called to complain?
A: Don’t know.
Q: How and why is TWC redirecting when there is no failure of DNS lookup, but only an HTTP-level redirect (e.g. search.live.com -> bing.com via HTTP 301)?
A: Don’t know.
September 17, 2010 at 5:12 am
I suppose I should be glad that I am not alone. I spent 2 hours on the phone with support, switched to 6 different people (and having to give them my account info each time)
If you do get this resolved, please get us a contact, reference number or even just the correct words to say so we can get it fixed too.
September 17, 2010 at 8:56 am
And BTW I don’t believe the fix-it link does anything with cookies (despite what RoadRunnaround support thinks) I get the same redirect if I run NSLOOKUP directly against their DNS servers. And the options page modifies that behavior as well…for a few hours anyways
September 17, 2010 at 10:41 pm
I’m a non-expert internet user who’s had his address bar searches hijacked by Road Runner off and on for over a year. This time I discovered that the “Safe Search Filter” cannot be disabled. I was wondering if maybe that’s their trick: could it be that if the safe search filter remains enabled, the web address redirection also is, automatically?
Anyway, on previous occassions and again on this one, it turned out that if I go to their opt in/opt out page and disable all that stuff, and go back and do it again, and then again: several times–I didn’t count–it works. For some months, anyway. I’ve just disabled it that way, so I wish me luck.
September 18, 2010 at 8:04 am
@Nick, There definitely seemed to be a correlation between the setting and a cookie, at least initially. I observed it on multiple browsers on multiple machines. Since I called to complain, though, there isn’t.
Meanwhile the “Don’t hijack” setting refuses to stick. It behaves as though opt-out means “Stop doing this for a while” instead of “Stop doing this period.”
September 20, 2010 at 4:26 am
The comment system rejected my longer reply (twice). I went ahead and analyzed the web traffic when saving settings. There are no cookies in the exchange.
September 21, 2010 at 8:11 am
Thank you, Jon, for fixing my mess there with the multiple corrective posts.
Just thought that having commented here I owed you guys an update:
Unfortunately, Road Runner’s back. I guess this time they mean business.
September 22, 2010 at 1:49 pm
The great mystery is _why_ do they do this ?
After dealing with similar problems with Verizon DSL (and their port 25 blocking – different rant), I just gave up, and installed dnsmasq as my local DNS proxy, pointing to real DNS servers. It does exactly what I need, and runs without a glitch.
I run it on a local GNU/Linux server, but it’s also available with the dd-wrt router firmware.
September 23, 2010 at 8:12 pm
Tonight Time Warner Cable DNS hijacked my Facebook.
It’s one thing when a lookup failure takes you to some dumb search page, it’s another thing entirely when it blocks off actual existing sites! Thanks for this post, for a minute I thought I was in Iran.
Of course, which is eviller – the ISP that blocks me from getting to Facebook, or Facebook … ? :D
September 24, 2010 at 5:07 am
Update:
One of my coworkers showed the hijacking behavior to a tech during a service call. Tech supposedly called somebody to look into it.
For myself, I setup a scheduled task to ‘wget “http://dnssearch.rr.com/?cat=pref&con=dns&optout=yes”‘ so I’m now opting out every 5 minutes. Doesn’t cure the problem but sure cures the symptoms.
September 24, 2010 at 6:47 am
@Nick, I had another conversation with TWC yesterday. The guy was very helpful: read this blog entry, started a trouble ticket, included a reference to this entry, really wanted to help.
BTW, he too was unaware of the existence of dnssearch.rr.com, as have been all the front-line people I’ve spoken with.
I got a call back a few hours later, from somebody who made a change on their end, and so far so good. This may indicate a bug in their opt-out mechanism.
(Never ascribe to malice what is adequately explained by incompetence.)
If this works, it’ll prove that at a minimum others can get the fix applied manually, though of course that shouldn’t be necessary if it is just a bug and if the bug gets fixed.
Still unexplained: the HTTP-level redirection. I asked them to follow up on that.
September 29, 2010 at 7:55 pm
Thanks for the post Jon, this has been driving me nuts for a while. Nice to hear about it from your perspective. I’m on Comcast and I get these: http://search2.comcast.com/?cat=dnsr&con=ds&url=jon+udell. I’ve not been able to opt out…
I always just thought it was about the sponsored links.
October 19, 2010 at 9:06 pm
Thank you! Those idiots at TWC had me thinking I was insane. As soon as another ISP comes to town I’m switching (I hope you’re listening you jackasses :). I’ve had the same conversation over and over again with 10 different “level 3″ techs and none of them believe me.
I’ve had it happen to every website imaginable – wiki, facebook, youtube, and most annoyingly, google. I’ve tried to clear my cache/cookies/etc. but the only thing that works (for google anyway) is this: type in images.google.com, type in my search, click search, and after all the results load, click the “everything” button.
I work in the adult industry and couldn’t help but be paranoid and think they might have “flagged” me….I don’t know, maybe there’s some bullshit in their TOS about programming for porn sites… :/
October 27, 2010 at 11:23 am
Jon, I would love to be the fly on the wall in those support conversations…
January 30, 2012 at 6:28 am
Stop Speed Tickets System…
[...]Hijack my DNS and I’ll be annoyed. Blame me for it and I’ll go ballistic. « Jon Udell[...]…