Dealing With ISPs That Use NXDomain Redirection? 264
Vrtigo1 writes "I work for a small company that has about 50 staff on the road relying on VPN back to our office at any given time. Many ISPs have implemented NXDomain redirection services that hijack DNS traffic to show you sponsored links and other related ads when you mistype a domain name. These services are incompatible with most VPN software, since they prevent the computer from resolving internal hostnames. Large ISPs typically provide an opt-out on their sponsored links page that immediately opts you out of the DNS redirection, but I've noticed that some smaller ISPs and CLECs have opt-out links that don't actually appear to do anything. I don't have a good solution for employees using these ISPs, and our employees are getting frustrated because the problem is becoming more prevalent and we can't fix it for them. I've tried calling a few of these smaller ISPs for help, but it's been like talking to a wall. Manually changing DNS servers works temporarily, but the user can't resolve internal hostnames when they connect to the office LAN again. Have you had to deal with ISPs using non-standard DNS servers? What is your solution?"
Will "bad" ISPs start blocking port 53? (Score:2, Interesting)
Re:4.2.2.1 (Score:3, Interesting)
VPN does not preclude packet filtering (Score:3, Interesting)
In the case of the router vulnerability, this is something that you can control on the corporate side of things by simply not accepting packets down the VPN tunnel that don't come from the IP address that's the far endpoint of that tunnel. I'm not a VPN expert, but I would be surprised if this isn't how your VPN is configured by default.
You can also filter packets on the receiving end of the VPN. That's how I configured our firewall at work. The VPN tunnel simply looks like another network interface to our firewall, so I apply a slightly less restrictive set of rules to that connection than I do to the default external interface. Giving someone keys to your network just because they are an authenticated VPN user is not a very good idea.
My main complaint with DNS tampering is the outright DNS hijacking that Sprint does with their AirCard (EVDO) service. You can't even query a different DNS server-- your packets are intercepted and redirected to Sprint's own DNS. Unfortunately, their records are often out-of-date as it appears that they also manipulate TTLs to keep the churn down on their servers. It's a real problem when you're relying on something like an AirCard for doing things like network penetration testing.
Re:could someone explain what the issue is here? (Score:3, Interesting)
Machines that connect through a VPN client are only behind your firewall some of the time. They cannot be trusted to be virus free. The firewall needs to keep them, the LAN clients and the servers separate anyway.
Another point is that if the machine has been infected, that means that the software on it has been altered. The VPN client software is not immune to this. You may THINK split tunneling is disabled, but are you sure?
There may be other issues as well. If you WANT people to come in through their personal machines after hours, they may well object to having their routing hijacked and their personal internet traffic (during their personal time at home) snooped and limited by a corporate firewall.
In a related issue, let's just say there are some perfectly legal things employees do on their own time at home that their employer is really better off not knowing about and might prefer not to be connected with.
easy solution (Score:1, Interesting)
How about a good old fashioned hosts file for internal names. If your machine names are changing frequently you can update it with a login script. Besides that, set up your own DNS server and have them hit that. Fighting with the ISP is a fruitless exercise. I don't think they are going to change the whole thing just for you, but I think it's good that you posted this because if more and more admins just refuse to use the ISP's DNS maybe they will stop. Taken to the extreme, if more and more home users get too many unwanted ads, then this will be good for third party dns servers that charge a small fee.
Try using OpenDNS (Score:2, Interesting)
I suspect this is a "captive portal" portal issue (Score:2, Interesting)
I worked for an ISP that provided service to hotels. VPN configs were the major source of problems. We implemented a captive portal to try to smooth over issues like
SMTP rejection (SMTP-AUTH was not common, the portal provided silent redirect to local mail server)
Accountability/Abuse -- The rooms were hard-wired, and captive portal gave us some retroactive sense of what room was generating abusive traffic.
Splash-screen/terms-of-service
DNS redirection is one of the core techniques for establishing captive portals. I rather doubt that many smaller ISPs are doing the "sponsored link" DNS redirect. Maybe things have changed since I left, but I suspect there is no significant benefit and some real cost involved for sponsored redirects for all but the largest ISPs.
Most of the support calls were over VPN software. Since all traffic was redirected until the splash screen was agreed to, a small but significant segment of VPN client configs broke. I very much suspect that is the real source of the initial posters issues.