34

We own a primary domain:

  • businessdts.com

I didn't know if our admins had created a sub-domain I had requested, "BDASERVER.businessdts.com.", so I just tried to connect to it with a browser and got a "not found". Then I pinged that sub-domain and got an IP address that doesn't belong to us:

  • Pinging BDASERVER.businessdts.com [198.105.244.117] with 32 bytes of data
  • Our domain and all sub-domains should have an IP address of [173.203.24.209]

I had the admins check all of our DNS zones and we find no instance of the BDASERVER sub-domain, (the admins had not created it yet), nor did we find any instance of the 198.105.244.117 IP address.

Doing an IP lookup, we found that 198.105.244.117 belongs to a company called Search Guide Inc. (searchguideinc.com). They appear to be a domain broker of some kind.

Am I missing something:

  • How is this BDASERVER sub-domain resolving to a address that is not ours?
  • How does someone hijack a SUB-domain?
Improve this question
3
  • 29
    What DNS servers are you using when you run this lookup? My lookup fails to resolve that name. This smells like NXDOMAIN hijacking to me.
    – joeqwerty
    Commented Feb 23, 2017 at 3:33
  • Our Name Servers are NS.RACKSPACE.COM and NS2.RACKSPACE.COM, @joeqwerty. When we get the BDASERVER and wildcard sub-domains set up, it looks like that will override the hijackers. The only way I found out about the issue was when I did a ping against the subdomain.
    – CBruce
    Commented Feb 23, 2017 at 18:05
  • 5
    Sorry, I should have clarified my comment. I was asking what DNS servers does your computer use for DNS resolution? Those are the name servers that are hijacking the NXDOMAIN response, not the name servers for your domain name.
    – joeqwerty
    Commented Feb 23, 2017 at 18:24

3 Answers 3

Reset to default
36

As the other guys here have suggested - this is a ISP norm actually. ATT does it to me as well. When the domain requested is not found, and the DNS records do not point to a default destination (you can set that up on your server that manages your DNS - more than likely you are using a standard registrar and they will manage your dns for you - just login to where you registered your domain name and click manage dns). You should add a "wildcard" redirect record. This way you will always point undefined traffic to a default webpage - or your index page of your main website. This also helps a lot if there are typos - you do not lose your traffic that way and customers or visitors are not punished by their ISP with abusive ads (I think there should be a class action against the ISPs for making ad revenue on us all - no?) Anyhow - here is a discussion on this topic you can read for more specifics. Default DNS settings

Bottom line - if you are managing your domain name and server - setup your default wildcards and you might want to also add some custom error pages to point your webserver to when someone requests a page that does not exist - add your logo and link back to your main site with a small site search script or something on it... it's so annoying to request a resource or html page from a website - even clicking on one of their links on another page on their site - and that ugly "400 Error" page comes up. So much a business can do to preserve the user experience by making sure to handle errors and keep their customers. I also recommend that you include a "REPORT BROKEN LINKS" in the modified error pages and perhaps with the default wildcard redirect landing page that can also include an automatic redirect to the index home page or other choice page if the visitor does not interact or otherwise.

I'm off topic now - but clearly - the OP needs to know a little more about what causes the ISP to be able to intercept the error... the DNS handler does not provide a useful response to the undefined subdomain requested because it is not there - so the ISP serves up a revenue generating page instead. Easy fix though!

Improve this answer
11
  • 27
    "this is a ISP norm actually" I suspect this depends heavily on locale. None of the ISPs I have used have done it (and if my current one started doing it, they would be hearing from me...).
    – user
    Commented Feb 23, 2017 at 10:13
  • 5
    In order to call this a "norm", this chould be a BCP or at least a MAY in the corresponding RFCs. I strongly doubt that.
    – Hagen von Eitzen
    Commented Feb 23, 2017 at 16:31
  • 7
    @HagenvonEitzen sadly, profit driven companies like ISPs (at least here in the US) care little about BCPs and RFCs and other standards. Thus, the real world norm can end up deviating very, very far from the published standards.
    – Doktor J
    Commented Feb 23, 2017 at 17:23
  • 4
    @DoktorJ In some sense, one might say that if they intentiously break RFCs, which are the loose de-facto standard of the Internet, what your service provider provides you with is not the Internet ... my 2c
    – Hagen von Eitzen
    Commented Feb 23, 2017 at 19:04
  • 6
    The ISP thinks returning fraudulent responses to DNS requests can help, but the person they think it can help is not the customer.
    – Jon Hanna
    Commented Feb 24, 2017 at 2:22
63

There is no record for that subdomain:

$ dig BDASERVER.businessdts.com

; <<>> DiG 9.8.3-P1 <<>> BDASERVER.businessdts.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11871
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;BDASERVER.businessdts.com. IN  A

;; AUTHORITY SECTION:
businessdts.com.    300 IN  SOA ns.rackspace.com. hostmaster.rackspace.com. 1487794151 10800 3600 604800 300

;; Query time: 86 msec
;; SERVER: 192.168.64.1#53(192.168.64.1)
;; WHEN: Wed Feb 22 21:29:53 2017
;; MSG SIZE  rcvd: 103

It's likely that your ISP's DNS is doing what's referred to as NXDOMAIN hijacking, where they hijack NXDOMAIN DNS replies and instead of replying with a proper NXDOMAIN (as above), they give you the IP address of a "search" page, which typically gets advertisement revenue for them.

I'd talk with your ISP and ask that they stop interfering with your traffic. If they refuse, get a better ISP or use a different resolver for your traffic.

Improve this answer
6
  • 13
    Confirmed. That IP address is registered to Search Guide Inc, a known destination of NXDOMAIN hijacking.
    – Michael Hampton
    Commented Feb 23, 2017 at 3:38
  • And that's part of why registrars make so much from "defensive" registrations:(
    – user396327
    Commented Feb 23, 2017 at 3:40
  • So, if we go ahead and create the BDASERVER sub-domain in our DNS zone - will that supercede whatever the jerks are doing and work correctly for us?
    – CBruce
    Commented Feb 23, 2017 at 3:41
  • 2
    @CBruce Yep, it should. And then go and change your DNS resolver. :)
    – EEAA
    Commented Feb 23, 2017 at 3:41
  • @CBruce Well, depending on the TTL they faked into their manipulated response, it may take a while
    – Hagen von Eitzen
    Commented Feb 23, 2017 at 16:29
2

Someone points to a sub-domain, or any DNS entry for that matters, that doesn't exists by doing NXDOMAIN hijacking, which means greedy DNS owners will rewrite entries to point to ads-based pages.

There is a very simple answer to this: enable DNSSEC on your domain, which will prevent anyone from giving answer from another DNS (like your ISP).

Improve this answer
3
  • 1
    This assumes the client validates DNSSEC and the evil DNS server of the ISP won't be stripping DNSSEC records. A Strict-Transport-Security header with includeSubDomains may make more damage to the subdomain hijacker than adding DNSSEC.
    – Ángel
    Commented Feb 26, 2017 at 20:47
  • 1
    Full agreed - in this day and age, DNS is just plain insecure (why are we event using it...), no argument about modifying any DNS query. But stripping away DNSSEC records is a whole different level than simply hijacking a NXDOMAIN reply which ISPs might not just step to.
    – Max Dor
    Commented Feb 26, 2017 at 22:41
  • Yes this is very true. Heed this advice OP.
    – GoZippy
    Commented Feb 27, 2017 at 1:40

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .