Ars Technica recently wrote up an article ISPs hijacking DNS requests to watch web searches. A couple years ago, I discovered that any time that I punched in an invalid domain name, instead of telling me the domain name did not exist, I was redirected to a search page. The search page had an opt out feature, but it reset after a few hours. I wrote a script to automatically opt myself out every few hours, but it was ineffective. When I called CenturyLink (my ISP) about this problem, they first denied it. After arguing with the representative for a while, he eventually informed me that this was how the feature was supposed to work. I asked him how that could be useful if the opt out really wasn’t an opt out. He didn’t have an answer. Eventually I opted to use alternative DNS. However, one solution for those of us running DD-WRT on our routers is to add additional DNSMasq options. While OpenDNS does honor opt outs, I still add the IP addresses they use to my configuration.
Before adding anything, pinging an invalid domain shows:
ping garbage.invalidtld PING garbage.invalidtld (18.104.22.168) 56(84) bytes of data. 64 bytes from hit-nxdomain.opendns.com (22.214.171.124): icmp_req=1 ttl=56 time=54.4 ms
I went into the Services page of DD-WRT and added the following to the “Additional DNSMasq Options” section:
Now the same command returns the proper response:
ping garbage.invalidtld ping: unknown host garbage.invalidtld
I could have applied the same method to filter CenturyLink’s DNS responses, but I have been happier with OpenDNS and decided not to switch back.