For the past several months Christian Kreibich and Nicholas Weaver over at the International Computer Science Institute in Berkeley, California, have been tracking a laundry list of ISPs to confirm what they thought to be true: that the ISPs are intercepting customers’ search queries and surreptitiously redirecting them to advertiser or affiliate links. What’s being alleged is that when the ISP customer types something into his or her own browser address bar, instead of making a DNS request or sending the traffic to the browser-configured search provider, the ISP decides which page the customer is taken to and just sends them there. Last week New Scientist magazine broke the story about the findings and caused a stir across the Internet, which has also prompted Congress to take a look, potentially calling some of these ISPs and bad actors in front of the new Congressional Subcommittee on Privacy, Technology and the Law.

Keyword redirection is something new we’ve not seen before, and it’s particularly pernicious, but the practice of ISPs somehow trying to shake more nickels out of their customers is certainly not new. It’s happened before here and here. There are some technical similarities to what we do and what these ISPs are doing, though our methods and motives could not be more different. One of the most important differences relates to choice — everyone chooses to use OpenDNS but most people, if they are lucky enough to have access to broadband at all, only have one choice of ISP.

Our goal at OpenDNS is to help protect people from exactly this kind of security and privacy violation, be it from a malicious hacker or even your ISP. In fact, one of the great ironies in this saga is that while we have never done the things the ISPs are being accused of, we did pioneer some of the techniques that ISPs are using to accomplish this redirection. That doesn’t make us very happy.

Everything we do at OpenDNS has been with our users’ best interests in mind. We’ve always operated an opt-in service with the sole aim of making you thrilled about using it. Using OpenDNS provides you a healthy level of insulation and privacy between you and your ISP. In the case of the newly-found keyword redirection, switching to OpenDNS empowers you to regain control over your address bar. With OpenDNS enabled, the ISP-controlled keyword redirection stops happening and your address bar searches go back to taking you where you want them to.

I fear the keyword redirection the ISPs are being accused of doing is only the beginning, as we’re seeing more and more evidence of ISPs doing things (that most would agree) they shouldn’t be doing. Even if you use OpenDNS and the ISP keyword redirection fails, it’s unclear whether ISPs are still able to sniff your traffic and create a profile about your Internet use – a blatant privacy offense. The idea of anyone, including your ISP, spying on your traffic raises serious security and privacy concerns.  We fully intend to follow this closely and continue to help you do something about it.

You can be sure we will respond by delivering even stronger solutions that protect your security, privacy and ability to use the Internet unencumbered anywhere in the world, on any device, at any time.

  • Stewart T

    After all I’ve read about this in the last few days, I’m a bit worried about privacy when web surfing from home. This blog post does make me feel a little better. But I have a few questions about how this relates to OpenDNS services:

    Will the OpenDNS use of DNSsec help to prevent ISPs from filtering and redirecting our searches?

    Can I setup DNSsec from my linux router? (I know it can be done, but can I secure DNS queries to OpenDNS?)

    And more importantly…

    I’m more concerned about general man-in-the-middle attacks on SSL encrypted traffic. Can OpenDNS help to prevent phony SSL trust? If so, would DNSsec be the way to go?

    Hopefully this is the right place for my questions. If not I’ll post these to your forum or query the support team.

    Thx

  • http://www.opendns.com David Ulevitch, Founder/CEO

    Stewart —

    Great questions. We don’t yet support DNSSEC, but when we do, you won’t have to do anything on your end, it’ll just be enabled. Unfortunately, it may not help in the case that we’ve described above regarding what the ISPs are being accused of.

    As for HTTP man-in-the-middle attacks, I think you are right to be concerned, as are we. SSL helps but isn’t the complete solution. DNSSEC isn’t either.

    Only true end-to-end encryption for everything is the solution, which involves DNSSEC and SSL (or some kind of VPN). As a stop gap, having a safe on ramp to the Internet would help fight some of these battles.

  • https://encrypted.google.com/ Rich

    https://encrypted.google.com/

    Couldn’t using the above be used to defeat this search tracking!?

  • Steve

    I read about the issue at EFF.com http://goo.gl/b6zSV and ran some testing they recommended.

    The EFF article also included a link to a Google forum at http://goo.gl/sthSP which suggested running a nslookup on Google.com and then doing a reverse whois lookup on the IP address. In my case, the nslookup gave 67.215.65.132 and the whois gave hit-nxdomain.opendns.com. The Google article said that it should resolve back to Google.com.

    Does this mean that searches through Google are being hijacked?

  • http://www.opendns.com David Ulevitch, Founder/CEO

    Rich — Absolutely. That’ll work for Google. But it doesn’t help from someone spying on other non HTTPS traffic. It also doesn’t stop a rogue country, person or ISP from generating a fake SSL cert. Seem unlikely? Unfortunately it isn’t: http://thenextweb.com/microsoft/2011/03/23/9-fake-ssl-certificates-loose-in-the-wild-microsoft-claims/

    DANE + DNSSEC + SSL would help with the rogue SSL cert issue: http://tools.ietf.org/html/draft-ietf-dane-protocol-09

  • http://www.opendns.com David Ulevitch, Founder/CEO

    Steve — That should not be happening.

    nslookup is kind of a crummy tool. When you use it, make sure you check “gooogle.com.” and not “google.com” — note the trailing dot on the domain.

    If that doesn’t work for you, feel free to contact our support and they’ll try to help you out.

  • Michael

    Wait until one day where ISPs could start blocking the DNS port at the ISP level like some do with SMTP and force you to use them for your DNS lookup. We’ll be in trouble then.

  • http://www.opendns.com David Ulevitch, Founder/CEO

    @Michael — ISPs have tried and failed to do this. Technology and lawyers tend to get in the way of this happening. And actions like what they are being accused of now will make any attempt to restrict choice in DNS even harder.

  • Steve

    @David Ulevitch; adding the ‘.’ at the end of google.com. cleared up the discrepancy in the nslookup. Thank you for the quick response and for providing this service.

  • Pingback: OpenDNS New Serving 30 Million Customers | TechCrunch()

  • PatentMike

    I don’t think this will last long. For commercial entities, this conduct seems to violate unfair competition and trademark laws. This is intentionally misleading consumers as to the source of goods and/or services.

    From the standpoint of laws and regulations, OpenDNS should be fine as long as congress doesn’t try to create some “new” solution to what is actually an old problem.

    PatentMike