Road Runner’s DNS wildcard
Now that I’m back home for winter break, I’m connected to the ‘net via Road Runner.
It seems that the ISP has taken to catching URL typos and redirecting customers to pages littered with sponsored ads and unhelpful search results. The “service” is named NXD, short for “non-existing domain landing service.”
Here’s a mirror of what it looks like when I try to access a site that doesn’t exist. (You can also access the live page hosted by Road Runner and fiddle with the origURL parameter to see what sort of results pop up for URLs you seek.) From the FAQ,
Road Runner has enabled a service to redirect web address errors to a helpful search page. You entered an unknown name that Road Runner used to present site suggestions that you may find useful. Clicking any of these suggestions provides you with Yahoo! search results, which may include relevant sponsored links
You may remember that VeriSign did this in 2003, redirecting all bad .com and .net URLs to Site Finder, a now-defunct web portal which was also riddled with ads, allowing VeriSign to profit from hundreds of millions of typos and dead links hit each day. Thanks to outcry against the change, the wildcard DNS entry lasted fewer than 3 weeks — entirely too long, to be sure. While Site Finder could not be opted out of without blocking its domain outright, NXD is at least opt-out.
It offends me that Road Runner is trying to profit off of its customers’ typos, especially at the risk of interrupting customers’ software that may rely on NXDOMAIN DNS requests. It’s nice for a service like NXD or OpenDNS to offer typo correction, but only one then if the service is opt-in.
Fun with Unverified Preferences
At the very bottom of the search results there is a tiny link which takes you to a preferences page. On it, you can enable or disable the individual components of NXD:
- Web Address Error Redirect Service:
This preference allows you to opt in or out of Road Runner’s non-existing domain landing service. - Typo Correction Service:
This preference allows you to opt in or out of the Typo Correction Service. This service will automatically fix many common typos in web addresses (for example: ww to www and .cmo to .com). If you enter a non-existent web address, and this service is able to typo-correct your domain to a valid web address, you will be taken there automatically. - Safe Search Filter:
This preference allows you to restrict adult-oriented content from search results on the non-existing domain landing service.
Here’s the fun part: When enabling or disabling any of these “features,” a GET request is made to the script http://ww23.rr.com/prefs_confirmation.php. If you’re opting out of the redirect service, the parameters are optout (either yes or no) followed by subscriberID, the doubly-URL-encoded MAC address of the customer’s cable modem (e.g., 00%253A13%253A11%253A00%253A00%253A00).
Road Runner does not seem to do any sort of verification that the subscriber ID belongs to the user who is changing the setting; if I provided you with the appropriate link, you could easily opt me in or out of the service. This could have dangerous side effects, such as disrupting any software that may rely on NXDOMAIN requests I mentioned earlier.
Why stop at attacking just me, though? If we (wrongly) assume that all Road Runner customers have the same modem that I do (and therefore the same MAC vendor code), there are only 16,777,216 possible unique subscriber IDs. It would probably take less than an hour for a script to turn the service off for everyone, or turn it back on for the people who had already disabled it.
If the subscriber ID has a double quote in it, you get an error message, suggesting there might be SQL injection risks to boot.
You Can Has Cookies
As an update to the above, it seems that the service also makes use of cookies:
MACcontains the Base64-encoded MAC address of the modem.LASTIPcontains the Base64-encoded IP address you had on your last visit. When issued, it is the IP address of the modem from which the request originated.GEOIDENTIFIERcontains a Base64-encoded code that ties you to a specific geographical location, e.g.RR_43_Central New York.REGIONis another Base64-encoded geographical indicator, e.g.Syracuse.COOKIEREVNUMBER(yet again Base64-encoded) indicates the data format version used in these cookies. The current version is 1.0.14.typocorrectis whatever was passed to the prefs_confirmation.php script via thetypocorrectparameter; it’syesornounless you fiddled with it.filterAdultContentworks the same way astypocorrect.
Other than the last two, I can’t see any place where these cookies are actually used. It’s very likely that your queries are logged to a database somewhere. Changing the values, however, doesn’t seem to perturb the script at all; it just reissues the correct values. It’s likely that it gets this information based on the MAC address of your modem.
So, if you’ve got some way of fiddling with the MAC address of your cable modem, you could alter the attack I described above to request the preferences page for every customer. Not only would you be able to tell if they had opted out of the redirect service, but you’d get their geographical location too. (Obviously, this is a bad idea, since you could potentially disrupt Road Runner’s ability to route packets, causing who knows what kind of hell.)
December 17th, 2007 at 10:55 am
Yikes! Scary stuff. Nice writeup.
December 29th, 2007 at 2:48 am
Good catch, as usual, Ryan.
I use OpenDNS religiously. The difference with them is, like you said, it’s entirely opt-in. Moreover, the ads are unobtrusive on the right-hand side. They don’t take up the whole screen, as in this case. You may be interested to know that “do no evil” Google is engaged in the very same practice as Road Runner in partnership with various PC makers like Dell and Gateway. Simply search for “google+afe” and read a plethora of material on the subject. Google doesn’t even have an opt-out process — unless you count a cumbersome uninstall process as one. So, at least Road Runner does have an opt-out. That’s some consolation.
Cheers, Doug
January 2nd, 2008 at 10:30 pm
I was going through some old bookmarks and a few of them went to ww23.rr.com. I figured if they were deadI’d get an error or perhaps a domain parking site. I spent 20 minutes online with RR’s online chat help. I asked point blank “is road runner dns redirecting?” the guy dissapears for 2 minutes, says try it with http://www..com and it works…but DID NOT answer the direct question. I googled the issue and came here. I’ll opt myself out of this horrendous idea. I can’t beleive they don’t want to make it easy to opt out!
February 3rd, 2008 at 1:21 pm
This just happened to me, too, out of nowhere. After several months of service with this not happening. Weird.
February 6th, 2008 at 10:15 am
I noticed this morning. Opted out. Fortunately googling “road runner site finder” brought me to your well written writeup.
TW/RR sent me a flyer a month ago about a privacy policy. I don’t believe it mentioned this. Evil.
February 6th, 2008 at 10:10 pm
So this is happening to me, there is an opt out but it does NOT work when being used through a none time warner router. I spent 2 hours on the phone with support explaining it to every level of support. Eventually it was “escalated” because nobody really understood what is happening or how it’s possible.
What I found is the following, when i disconnect router and run it straight to my PC then restart the TWC router it goes away immediately, with all the same info. As soon as I hooked up my router bam, it started happening again. I first think, is my router some how infected with something? The answer is NO, after hooking up a different router I was able to achieve the SAME results.
After being told by TWC support what make and model router I had (couple levels up in their tech group) something hit me. TWC must be intentionally changing the routing on only routers that they don’t provide. There aren’t to many other possibilities in this situation.
February 8th, 2008 at 9:08 pm
Ryan- Very through analysis, man!
I Googled this issue and found your post then, posted my own annoyances on my blog.
It doesn’t surprise me to see that some folks at TWCTelecom Googled and visited my blog then, yours.
I wonder if anyone has figured out a way around this. How tough would it be to change the MAC address of the router to a range that is recognized?
Why is TWC even messing with this? MORE revenue? You gotta be kidding me!
February 15th, 2008 at 9:29 pm
Same issue just started for me. Found this via google. And I can confirm it the opt out doesn’t work with a third party router. You have to plug directly into the modem. Stuff like this makes me so angry. I’m going to start my own Internet.
February 22nd, 2008 at 5:44 pm
Happened to Charlotte, NC today. I have noticed two other changes over the past few days as well…my download speeds (overall) have dropped drastically (and we have the premium service). Also, Bittorrent (legal torrents) used to average 250-400kB/s, now I get 100kB/s if lucky.
After 2 years of decent service and almost zero outages, we have had 3 outages over 2 hrs each (many more smaller ones) over the past 5 days. I don’t see where any of this would warrant so many outages all of the sudden, but, at $60/month for this new CRAP service, we won’t be with Time Warner much longer.
I am a network Analyst by trade, 14 years now, I will definitely be looking into this more to see just what all is in play.
(Yes, I found you when Googling these problems as everyone else did)
February 23rd, 2008 at 5:02 pm
Wow, this was very helpful, thanks. I had many DNS issues with this and did not notice the tiny link in at the lower right of the page. This blog saved me
February 26th, 2008 at 4:10 pm
Perhaps it’s not based on the cable modem MAC address, but based on the MAC address of the device hooked to the cable modem.
February 27th, 2008 at 10:35 pm
I avoid this by running my own DNS named server on one of my Linux machines on my LAN — bypasses TWC’s servers completely and is a lot faster in name resolution.
Why rely on TWC at all?
Jeff G.
February 28th, 2008 at 11:41 am
Some country domain names are also redirected to 24.28.199.152 for no good reason when “non existent domain” is turned on. For example,
Non-authoritative answer: Name: http://www.lanacion.com.ar.socal.rr.com Address: 24.28.199.152
Ok, so they messed up some country domain names. However,
Non-authoritative answer: Name: http://www.cnn.com.socal.rr.com Address: 24.28.199.152
Other sites were also being redirected to 24.28.199.152 (mail.google.com was not). What is that all about? After turning bad domain redirection off,
Non-authoritative answer: Name: http://www.cnn.com Addresses: 64.236.91.21, 64.236.91.22, 64.236.91.23, 64.236.91.24 64.236.16.20, 64.236.16.52, 64.236.24.12, 64.236.29.120
February 28th, 2008 at 9:30 pm
@Hmmm
Why are you nslookup-ing against a URL with the “http://” included? This is not how DNS works. Because you’re providing invalid hostnames, you’re DNS client is automatically appending the default domain in your network settings. Any nslookup against such a malformed query will trigger an NXDOMAIN response and thus trigger the software.
February 28th, 2008 at 10:49 pm
@Tony: that’s how those were formatted after I pasted in the test, the lookups were done by doing “nslookup http://www.cnn.com“, for example.
The above, of course, is meant to read www dot cnn dot com.
February 29th, 2008 at 4:51 pm
@Hmm
Your test is invalid then, try this:
nslookup http://www.cnn.com <- should resolve
then try
nslookup http://www.cnn.cmo <- normal DNS returns an NXDOMAIN (nonexistent domain), the TWC app will return either a CNAME or an A record with IP address of server that includes ads.
February 29th, 2008 at 6:54 pm
okay now I get it. Way to go auto-formatting.
March 10th, 2008 at 5:53 pm
TWC has finally resolved the issue with non-TWC routers.
They wouldn’t explain how, or what they did but you can now opt out on a computer running through a router and it will work. It only took them a month to resolve but it’s fixed.
Now I wonder if you can turn other peoples back on and off without having to be them still.
March 12th, 2008 at 9:02 am
[...] turns out my ISP, Road Runner, has started using a DNS wildcard, which Road Runner is variously calling their “web address error redirect service”, or [...]
March 12th, 2008 at 11:51 pm
The question I have, Does this mean that RR has made agreements with NSA to record and track or usage? this Invasion is outrageous! I also suspect this is done to slow down video streams, speeds, torrents. something that brighthouse/TWC has determined detrimental to thier profit & sale plan.
What’s next? Do I have to get permission to access service I pay for? Brighthouse/TWC must want mega bucks for micro usage. Damn them!
March 13th, 2008 at 2:15 am
Good page, I found this through a google search. I went on vacation and when I came home, I pointed my browser to http://www.bmwmotorcycles.com and road runner redirected my page! Ithinky I’m going to dump Road Runner!
April 23rd, 2008 at 4:42 am
Here’s more creepiness for you.
I was unable access GOOGLE just now - and the RR page came up! What’s that about? I saved a screen shot - let me know how to post it.
Just before that I was working on a SECURE site, clicked a link and got the RR page. A link, not a typed in address. I was freaked out so I logged out. Then I restarted by browser and tried Google. Do I need to get my tin hat out?
I just opted out of their ’service’ too, but will it work? If I was an advertiser I’d be furious. Thanks for this site!
May 1st, 2008 at 10:35 pm
I have started experiencing a lot of DNS errors with my Time-Warner cable modem lately. It happens whether or not I have my wireless router in the system or not. It happens on my desktop running XP, my notebook on Vista, and my kids’ iMac with Leopard. Doing an ipconfig /dnsflush seems to get things working, but only for a little while. I usually just get an “IE cannot display the webpage” or “The address is not valid” error. I don’t see the messages you have talked about (and I’m typing in the correct addresses, not incorrect ones). Hitting refresh sometimes works and sometimes doesn’t. I think that TWC has some big DNS problems.
May 5th, 2008 at 2:45 pm
I am seeing the same problems as MathP with Roadrunner. I have a desktop with XP and a laptop with Vista. It is driving me crazy. The difference is I do get the Roadrunner error page on occasion. It seems I am getting lots of “down time” with Roadrunner and every time I have a problem they can only offer to send a technician out. I thought it was a virus or malware and spent hours running scans , checking this and that. What a waste of time! They seem to be having a few problems.
May 11th, 2008 at 7:43 pm
I never noticed this before, but then some pages sites were working and others weren’t. Finally, I knew something was crazy when I got this “Sorry, we couldn’t find http://www.amazon.com” I took a screen shot and then searched and found this post. Thanks. i might as well route my dns through the chinese government’s dns (what is that address again) Well I guess not but at least they won’t try to control my purchasing habits. I am switching to openDNS for now though.