Sprint redirecting NXDOMAIN to search-error.com?

[kevinkrueger]

I just noticed that Sprint is redirecting my browser to search-error.com for NXDOMAIN results (i.e. if I enter a domain that doesn't exist).

 

Is this new? I have a few concerns about this:

 

1. The search-error.com domain is suspicious looking. I generally associate hyphenated domain names with the less savory corners of the Internet.

2. There's no Sprint branding anywhere on the page. The colors don't even match Sprint's branding. The only clue that this might be related to Sprint is that the "Customer Care" link links to Sprint customer care. Edit: I guess there's a small Sprint.com copyright message on the bottom of the page as well.

3. It uses my metered data and exposes me to advertising I didn't ask for.

4. It violates Internet standards.

5. There's no apparent way to opt out

 

Given how fishy looking the page is, I'm not entirely convinced this is Sprint's doing. My Google searches for search-error.com only turned up one Tweet where someone was complaining to Sprint about this just a few days ago.

 

I just did a whois on this domain, and it was registered on August 6. It's not even registered in Sprint's name. It's a private "Domains by Proxy" registration.

[cletus]

Try setting your DNS to the Google DNS servers https://developers.google.com/speed/public-dns/

 

or to OpenDNS

 

http://wdgfstatus.com/opendns-win7/

 

Or do you mean your phone's browser?

[Ascertion]

Are you, by chance, using a proxy server?  Sometimes proxies will redirect web pages.

[kevinkrueger]

Try setting your DNS to the Google DNS servers https://developers.google.com/speed/public-dns/

 

or to OpenDNS

 

http://wdgfstatus.com/opendns-win7/

 

Or do you mean your phone's browser?

 

Yeah, this is with Chrome on Android. I don't believe I can change the DNS servers on it without root?

 

Also, when I connected to my home wifi with my phone, Chrome stopped redirecting NXDOMAINs.

 

The fact that search-error.com mentions and links to Sprint tells me that this is somehow related to Sprint, whether or not it's Sprint's doing.

[cletus]

Yeah, this is with Chrome on Android. I don't believe I can change the DNS servers on it without root?

 

Also, when I connected to my home wifi with my phone, Chrome stopped redirecting NXDOMAINs.

 

The fact that search-error.com mentions and links to Sprint tells me that this is somehow related to Sprint, whether or not it's Sprint's doing.

Really weird. Perhaps a tower your phone is connecting to has bad DNS settings? I'd give Sprint a call as I have never heard of this outside using AT&T/TWC/Comast's DNS settings and seeing a spammy page for search results when it can't connect to a website (which is why I use the Google DNS).

[kevinkrueger]

Really weird. Perhaps a tower your phone is connecting to has bad DNS settings? I'd give Sprint a call as I have never heard of this outside using AT&T/TWC/Comast's DNS settings and seeing a spammy page for search results when it can't connect to a website (which is why I use the Google DNS).

 

Yeah, it's definitely concerning. Could it be a hack of Sprint's infrastructure?

 

I'm very curious if anyone else can reproduce this. I just tried it on my wife's phone, and got redirected to search-error.com as well. So it's not just my phone, anyway.

[snowmobiler487]

Same thing just happened for me on my iphone. It happens when on cellular connection, not on my home wifi.

[cletus]

Yeah, it's definitely concerning. Could it be a hack of Sprint's infrastructure?

 

I'm very curious if anyone else can reproduce this. I just tried it on my wife's phone, and got redirected to search-error.com as well. So it's not just my phone, anyway.

Does it happen just where you are or is it in other areas around town? If it is just where you are I am 99% sure it is just something misconfigured on Sprint's end rather than something malicious.

[mrknowitall526]

I've seen that page too. For several months actually. We have a Mifi as our home internet (no cable or DSL here) and it's come up several times when I make a typo. On several computers. I thought that it had the Sprint logo on it though..m

[kevinkrueger]

I don't like it one bit. I've seen it on multiple towers. The first time I saw it, I thought for sure I had some malware on my phone. It's such a cheap and fishy looking web page. At a minimum, Sprint should make it clearer that this page is affiliated with them, document it on their website, and offer a way to opt out (as many other ISPs which do NXDOMAIN hijacking do).

 

As further evidence of how shady this site is, the "Make this My Homepage" link at the top of it is broken. It throws a javascript exception.

 

Oddly, the Sprint copyright message and link to Sprint customer care only appear on the desktop version of the site. These links aren't visible on the mobile version. So there's NO sprint branding that I can see when viewing the mobile version of the site.

 

After looking through the page source, I found the search-help.sprint.com also goes to the same site. It seems most likely to me that some firm offered Sprint some money to redirect NXDOMAINs to this site. But if Sprint won't own up to this, it's simply open to speculation, I guess. The fact that a sprint.com subdomain goes to this site tells me that Sprint has some involvement in this.

[swintec]

 tells me that Sprint has some involvement in this.

 

no doubt they do.  this is usually done by the ISP as another revenue stream.  Although, an opt-out is usually provided for the end user but i am not sure how this could be done on a cell device / connection.

[mozamcrew]

I really hate this behavior because it really assumes that the internet begins and ends with the web. What happens when an app or other program that isn't looking for a webpage sends out a DNS request and gets this Spammy site's IP instead of being told the requested domain doesn't exist.

[NateC]

Breaking NXDOMAIN is evil.  

 

I just verified the same behavior over here.  I use 'adb shell' to connect to my phone and try the following:

 

When on WiFi (correct behavior):

root@jewel:/ # nslookup klasjdfkljasdf.com                                     
Server:    192.168.0.1
Address 1: 192.168.0.1

nslookup: can't resolve 'klasjdfkljasdf.com': hostname nor servname provided, or not known 

After turning off WiFi, on Sprint 4G LTE (broken behavior):

root@jewel:/ # nslookup klasjdfkljasdf.com
Server:    68.28.68.132
Address 1: 68.28.68.132 ngns1a.chcgibr05.spcsdns.net

Name:      klasjdfkljasdf.com
Address 1: 2620:118:7008::1064
Address 2: 2620:118:7002::1064
Address 3: 198.105.254.64
Address 4: 198.105.244.64
 

And mozamcrew is right:  although tolerable for the web browser, it can easily break other applications.

[NateC]

Since I have root on my HTC EVO LTE, I worked around this problem with the following steps:

 

1. "adb shell" from my computer (requires android SDK installation and USB connection to PC)

2. mount -o remount,rw /

3. Edit /init.rc (I used vi)

4. Find the end of the "on init" section.  For me it was right after the "#htc sensorhub" lines.  Add the following lines to the end:

    # Hack to force use of google DNS to fix domain/NXDOMAIN hijacking by Sprint
    /system/bin/iptables -t nat -I OUTPUT -p tcp --dport 53 -j DNAT --to-destination 8.8.4.4:53
    /system/bin/iptables -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to-destination 8.8.4.4:53

5. Save and remount / as read-only:  mount -o remount,ro /

[kevinkrueger]

Since I have root on my HTC EVO LTE, I worked around this problem with the following steps:

 

1. "adb shell" from my computer (requires android SDK installation and USB connection to PC)

2. mount -o remount,rw /

3. Edit /init.rc (I used vi)

4. Find the end of the "on init" section.  For me it was right after the "#htc sensorhub" lines.  Add the following lines to the end:

    # Hack to force use of google DNS to fix domain/NXDOMAIN hijacking by Sprint
    /system/bin/iptables -t nat -I OUTPUT -p tcp --dport 53 -j DNAT --to-destination 8.8.4.4:53
    /system/bin/iptables -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to-destination 8.8.4.4:53

5. Save and remount / as read-only:  mount -o remount,ro /

 

Interesting. I had read somewhere else that Sprint redirects port 53 requests to their own DNS servers regardless of the destination IP address, but apparently that's not the case. This might motivate me to root my phone.

[NateC]

Interesting. I had read somewhere else that Sprint redirects port 53 requests to their own DNS servers regardless of the destination IP address, but apparently that's not the case. This might motivate me to root my phone.

 

Yeah, I'm not big on rooting phones to flash fancy ROMs or anything, since in my experience they tend to have unpredictable quality with respect to device drivers and stability.  But I do use rooted stock ROMs so I can have control over things like this.

 

And it does not appear that Sprint redirects port 53 requests in my area at least (Wisconsin).  I verified that bogus domain names still returned NXDOMAIN while on 4G LTE after applying my hack.

[EvanA]

Since I have root on my HTC EVO LTE, I worked around this problem with the following steps:

 

1. "adb shell" from my computer (requires android SDK installation and USB connection to PC)

2. mount -o remount,rw /

3. Edit /init.rc (I used vi)

4. Find the end of the "on init" section. For me it was right after the "#htc sensorhub" lines. Add the following lines to the end:

# Hack to force use of google DNS to fix domain/NXDOMAIN hijacking by Sprint    /system/bin/iptables -t nat -I OUTPUT -p tcp --dport 53 -j DNAT --to-destination 8.8.4.4:53    /system/bin/iptables -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to-destination 8.8.4.4:53

5. Save and remount / as read-only: mount -o remount,ro /

Yeah, I'm not big on rooting phones to flash fancy ROMs or anything, since in my experience they tend to have unpredictable quality with respect to device drivers and stability. But I do use rooted stock ROMs so I can have control over things like this.

 

And it does not appear that Sprint redirects port 53 requests in my area at least (Wisconsin). I verified that bogus domain names still returned NXDOMAIN while on 4G LTE after applying my hack.

The init files are not stored on disk as you see them in the file structure. In order to properly set the iptables rules you have to extract the boot image from its partition, unpack it, unpack the ramdisk, edit the init file, repack the boot image, and flash it. Alternatively, if you have init.d support you can make a script in /system/etc/init.d containing the iptables rules.

 

Regardless, it won't work. Sprint does redirect all DNS requests. If you try "nslookup sjifiejfbd.com 8.8.8.8" to force nslookup to use google dns, you still get the same IP as "nslookup sjifiejfbd.com" without forcing.

[NateC]

The init files are not stored on disk as you see them in the file structure. In order to properly set the iptables rules you have to extract the boot image from its partition, unpack it, unpack the ramdisk, edit the init file, repack the boot image, and flash it. Alternatively, if you have init.d support you can make a script in /system/etc/init.d containing the iptables rules.

 

Regardless, it won't work. Sprint does redirect all DNS requests. If you try "nslookup sjifiejfbd.com 8.8.8.8" to force nslookup to use google dns, you still get the same IP as "nslookup sjifiejfbd.com" without forcing.

 

You are correct on the first point, but incorrect on the second.  For the first point, I must have been sloppy and missed that, since I was sure I rebooted to test.  Thanks!

 

For the second point, as mentioned before, Sprint is definitely not redirecting DNS requests in my area.  See adb shell log below:

 

(this was while connected to Sprint 4G LTE with WiFi disabled;  using a different cell site than the previous test even)

root@jewel:/ # nslookup alksjdfklj.com
Server:    68.28.68.132
Address 1: 68.28.68.132 ngns1a.chcgibr05.spcsdns.net

Name:      alksjdfklj.com
Address 1: 2620:118:7008::1064
Address 2: 2620:118:7002::1064
Address 3: 198.105.244.64
Address 4: 198.105.254.64
root@jewel:/ # nslookup alksjdfklj.com 8.8.4.4                                 
Server:    8.8.4.4
Address 1: 8.8.4.4 google-public-dns-b.google.com

nslookup: can't resolve 'alksjdfklj.com': hostname nor servname provided, or not known
 

Maybe Sprint's DNS redirection behavior varies by region.

[EvanA]

You are correct on the first point, but incorrect on the second.  For the first point, I must have been sloppy and missed that, since I was sure I rebooted to test.  Thanks!

 

For the second point, as mentioned before, Sprint is definitely not redirecting DNS requests in my area.  See adb shell log below:

 

(this was while connected to Sprint 4G LTE with WiFi disabled;  using a different cell site than the previous test even)

root@jewel:/ # nslookup alksjdfklj.com
Server:    68.28.68.132
Address 1: 68.28.68.132 ngns1a.chcgibr05.spcsdns.net

Name:      alksjdfklj.com
Address 1: 2620:118:7008::1064
Address 2: 2620:118:7002::1064
Address 3: 198.105.244.64
Address 4: 198.105.254.64
root@jewel:/ # nslookup alksjdfklj.com 8.8.4.4                                 
Server:    8.8.4.4
Address 1: 8.8.4.4 google-public-dns-b.google.com

nslookup: can't resolve 'alksjdfklj.com': hostname nor servname provided, or not known
 

Maybe Sprint's DNS redirection behavior varies by region.

Mine is always redirected so it must.

[NateC]

Mine is always redirected so it must.

 

If that's the case for you, that's especially evil of Sprint.  The only ways I can think of to workaround that would be to use something like OpenDNS which serves on port 5353 in addition to 53.  Then you'd use a local caching nameserver on 127.0.0.1 or use a similar iptables rule to redirect outgoing port 53 traffic to OpenDNS on 5353.  It's a shame that DNS hijacking has become so common.

[EvanA]

If that's the case for you, that's especially evil of Sprint.  The only ways I can think of to workaround that would be to use something like OpenDNS which serves on port 5353 in addition to 53.  Then you'd use a local caching nameserver on 127.0.0.1 or use a similar iptables rule to redirect outgoing port 53 traffic to OpenDNS on 5353.  It's a shame that DNS hijacking has become so common.

OpenDNS does redirection for NXDOMAIN returns as well...

[David Mackler]

OpenDNS does redirection for NXDOMAIN returns as well...

They do by default, but RFC standard behavior can be restored with a check box. I have checked that box for my household.

[EvanA]

They do by default, but RFC standard behavior can be restored with a check box. I have checked that box for my household.

It's by IP though and mobile IP isn't static.

[David Mackler]

It's by IP though and mobile IP isn't static.

True enough, thanks for the reminder. I use OpenDNS for our home network, and that has a sticky "dynamic" IP. I have it set on the router so it covers all of our devices without needing to configure any of them.

[kevinkrueger]

For what it's worth, OpenDNS discontinued their NXDOMAIN hijacking:

 

http://www.opendns.com/no-more-ads/

 

http://blog.opendns.com/2014/05/29/no-more-ads/

 

Sprint should follow OpenDNS's lead and do the right thing.