Dealing With ISPs That Use NXDomain Redirection?

Vrtigo1 writes "I work for a small company that has about 50 staff on the road relying on VPN back to our office at any given time. Many ISPs have implemented NXDomain redirection services that hijack DNS traffic to show you sponsored links and other related ads when you mistype a domain name. These services are incompatible with most VPN software, since they prevent the computer from resolving internal hostnames. Large ISPs typically provide an opt-out on their sponsored links page that immediately opts you out of the DNS redirection, but I've noticed that some smaller ISPs and CLECs have opt-out links that don't actually appear to do anything. I don't have a good solution for employees using these ISPs, and our employees are getting frustrated because the problem is becoming more prevalent and we can't fix it for them. I've tried calling a few of these smaller ISPs for help, but it's been like talking to a wall. Manually changing DNS servers works temporarily, but the user can't resolve internal hostnames when they connect to the office LAN again. Have you had to deal with ISPs using non-standard DNS servers? What is your solution?"

Provide your own DNS?

[QuantumRiff]

Last time I setup a VPN, was with a Cisco PIX firewall, (its been awhile) but there was a spot to specify which DNS servers to use when connected to the VPN. I had specified that when connected, they would use our DNS, since they otherwise couldn't resolve \\file-server\share or whatever..

Use Full Tunnels

[Bandman]

If you're splitting your connection between a VPN tunnel and a non-VPN protected internet connection, you're a security risk to your infrastructure.

Have your administrator configure full tunnel support where ALL of your traffic goes through the encrypted tunnel. That solves a security problem AND it fixes your DNS problem because you don't use your local internet provider's DNS servers.

Split-horizon DNS

[Dishwasha]

http://en.wikipedia.org/wiki/Split-horizon_DNS [wikipedia.org]

Re:Use Full Tunnels

[L0stm4n]

This is called split tunneling. If he disables split tunneling and specifies the DNS servers in the VPN config his problems would go away.

His users however would tunnel all their traffic through the corporate lan while connected so you may need to setup some kind of filtering or route the traffic through whatever filters you already have. Otherwise these remote workers in hotel rooms will be pulling buckets-o-pr0n through your corp network.

Re:Use Full Tunnels

[Bandman]

But that's only a problem when they're connected to the VPN. Don't surf porn while on the VPN, don't get fired. Win/Win

Just disconnect to download your porn and you're good.

Re:Provide your own DNS?

[nine-times]

Yeah, honestly I'm a little confused by the question. If you want to use DNS to connect to internal servers via VPN, then don't you want to route your DNS traffic through the tunnel to use internal DNS servers? And once you're doing that, how could the ISP possibly hijack that DNS traffic? It's encrypted.

could someone explain what the issue is here?

[goombah99]

This guy sounds like a manager or IT worker who is having problems with his employees connecting to the work VPN.

it sounds more like he has not stated the problem correctly.

how is it possible that a VPN connection is doing DNS to an external name server? Should not every internet request flow over the vpn from the client to the server. once it reaches the internal vpn server the server should know how to route the internal addresses and for external addresses it could use an external domain name server. the problem described seems like it should not exist. what am I missing?

hosts file?

[i.r.id10t]

A logon script here loads a hosts file that null-routes a lot of known bad (spyware, etc) sites.

Could you do the same for your internal hosts so that when on the VPN it doesn't even need to do a DNS lookup?

Re:This is an easy one.

[hey]

Good point. They should thank the ISP for this alert.

Re:could someone explain what the issue is here?

[omnichad]

OpenDNS has NXDOMAIN redirects too. You'd have to work only from static IP addresses that are configured with an OpenDNS Account.

Re:This is an easy one.

[IceCreamGuy]

You are referring to what is known as "Split Tunneling;" which is a legitimate, albeit less secure, VPN configuration. Basically when split tunneling is enabled the client workstation's default gateway is still it's local gateway and DNS requests get routed by the client to the appropriate DNS server, whereas in a non-split tunnel the default gateway is the remote gateway (which obviously has no way of routing to the local network) and all DNS requests go encrypted through that. There are several reasons someone would want to do this:

• You need people to access their local printers/network resources and don't have some kind of pass-through ability
• You have limited bandwidth at your remote site and cannot handle the Internet usage that would be NATed through
• Your gateway does not support NAT on VPN tunnels and your clients need Internet access
• You don't realize what you're doing

Either way, what I do when I have some kind of weird situation where a user needs to change their TCP/IP config routinely is just put a couple shortcuts with pretty icons on their desktop that point to batch scripts that run a netsh script. You should be able to completely change an IP configuration on a Windows box with this utility, the user just runs "home.bat" when they're home and then "office.bat" when in the office. A Google for "netsh exec" should give enough info to get started.

Re:could someone explain what the issue is here?

[Intron]

Depends on the VPN setup. I don't want my VPN clients sending all of their web browsing through the VPN and then back out through my firewall. I only want the traffic destined for my internal network. On their end, they should have a route table that sends traffic for me through the VPN and everything else through their normal ISP. I can support a lot more users that way.

MOD PARENT UP: Re:could someone explain what th...

[HappyDrgn]

This is in fact why NXDomain breaks things in the way the poster describes, however, unless you're the kind of employer who wants to see EVERYTHING your subordinates are doing it's not actually the best practice to filter everything through the VPN.

Filtering everything through their VPN increases overall costs in bandwidth and hardware as Intron indicated. These are very real, very costly expenses that many employers overlook when implementing broad policies... and it's a fantastic point you raised that all too many companies forget.

Why should my connection to slashdot.org, for example, be secure on the company VPN? My ssh and nfs connections have very real reasons to be secure however!! On the other hand you could fix this by filtering DNS traffic through the VPN, but not web traffic. The cost of DNS traffic is marginal comparatively to other services, but the benefit for companies facing these specific issues is obvious.

Re:MOD PARENT UP: Re:could someone explain what th

[blingingToad]

I do not think your ssh connection needs to tunneled through a VPN at all. Ssh is a secure way to transmit and recieve information without a VPN. I suppose you could use a VPN with ssh, but it seems redundant. NFS is another matter, though.

Re:could someone explain what the issue is here?

[Sparr0]

I have never seen that enforced, and only twice ever as the default setting. It is a client-side configuration option in most VPN software (Cisco, SecuRemote, most Linux VPN clients).

You want VPN users to stream video or download game patches or do other non-business-related bandwidth intensive operations over the VPN, when they have a perfectly (ha!) good internet connection locally? I hope you have a REALLY big network pipe.

Re:MOD PARENT UP: Re:could someone explain what th

[Big Boss]

SSH tunnels get around that without difficulty. If you know the address, it's as simple as assigning local port 2222 to 10.1.0.100:22 and you can now SSH to that machine by connecting to localhost:2222. Get a SOCKS capable SSH client, and you don't need to set up the tunnel for each connection.

Large ISPs (cough, verizon, cough) lie about it?

[Medievalist]

Large ISPs typically provide an opt-out on their sponsored links page that immediately opts you out of the DNS redirection, but I've noticed that some smaller ISPs and CLECs have opt-out links that don't actually appear to do anything. I don't have a good solution for employees using these ISPs, and our employees are getting frustrated because the problem is becoming more prevalent and we can't fix it for them. I've tried calling a few of these smaller ISPs for help, but it's been like talking to a wall.

That's not limited to small ISPs. Verizon FiOS, for example:

"Oh, sure, we will let you opt out - just click on the link that shows your router"
BROKEN LINK
Hmmm, guess I will click on a similar router...
THEY ARE ALL BAD LINKS
Gee, I guess I will click on the "change OS settings" link then...
BAD LINK

Somebody's going to point out that you can Google and find where helpful geeks have posted the instructions to opt-out without Verizon's assistance. But that's not the point, really, is it? Verizon had working opt-out links exactly long enough to get a favorable review in Consumer Reports, and then it all mysteriously broke. I cannot explain this coincidence, personally, you will have to come to your own conclusions.

Fix dnsmasq + level3

[asdfndsagse]

dnsmasq [thekelleys.org.uk], avalable in most distrobutions, is a light weight dns server that you can tell the ips of bogus NXDomain sends and will turn them back to what they should be. You can also point your computers to level3's free dns service at 4.2.2.3 4.2.2.4 4.2.2.5 4.2.2.6