Derek Arnold

Many ISPs are doing terrible things to skim more money off their subscribers.  NXDOMAIN hijacking is one of these things.  The latest one that I’ve encountered now isn’t something I’ve seen documented online, except in a forum post from a couple of days ago I stumbled upon.

Before I explain what the issue is, I need to give a small rundown in part of how web servers work.

When you go to a website, they return a status code for the page you tried to access.  This is a gross simplification, but a 200 means the page was found, and a 404 means it was not found.  In either case, the correct thing for your browser to do is to show you the page the server sent to you.  Seems simple enough, right?

Mediacom decided hijacking unregistered domains and breaking DNS wasn’t enough, so they are now doing packet inspection and injection.  Instead of simply passing along the traffic sent by servers, which is what a good ISP does, they are trapping for 404 status replies and instead sending you a page purporting to be from the server you contacted, which consists of this javascript:

<HTML><script>window.location='http://assist.mediacomcable.com/mediacomassist_pnf/dnsassist/main/?domain='+escape(window.location);</script><body>The Search Guide redirection service has been enabled to provide helpful searches from browser queries. You entered a non-existent url and your browser attempted to redirect you with Javascript. To enable this please update your browser preferences. <a href='http://search.mediacomcable.com/prefs.php'>To turn off this feature please click this here</a></body></HTML>

What this does is tell your browser to change the page to the search page Mediacom set up so they can make more money from advertising.  I don’t even know if this is legal.  It’s definitely ethically wrong.

If you’re wondering what the big deal is, think of it this way:  Your ISP has the ability (which it always had) to perform inspections of your internet traffic.  Now, instead of merely viewing it, they are blocking replies from legitimate servers and sending you their own page.  Who cares, right?

What if they decided to do the same for the address of an article on your favorite newspaper that happened to be critical of Mediacom?  Perhaps if an employee injected their own advertisements over legitimate advertisers paying your local newspaper to have their ads shown on their website, this might make you feel a little more uneasy.

You probably don’t have Mediacom as your ISP, but this sort of thing spreads like a venereal disease once other ISPs hear about it.  You can blast text into this form to let them know what kind of bastards they are.