Fri Mar 14 20:30:44 2008
More info on ISP DNS redirections

I've received a number of replies to my request for more specific 
information regarding Verizon and Time Warner (RoadRunner) DNS

Regarding Verizon (the forwarded message below best summarizes), it
appears that while Verizon has apparently removed the redirection
(to a Yahoo Search page) opt-out for their own routers supplied to
customers, it is still possible for users with enough understanding
of their systems to set their own recursive DNS server addresses.
So, for example, those persons running their own BIND, or using
services such as, reportedly can continue to do so
without interference at this time.  However, it appears that Verizon
has purposely "raised the bar" to make it less likely that ordinary
users will choose other than the Verizon-supplied Yahoo-diversion
DNS servers.

As for Time Warner/RoadRunner, I've received additional reports
indicating that diversion (via a wildcard record) is occurring in
other areas in addition to Southern California, but also that not
all areas in Southern California are so configured currently.
Indications so far are that the official RoadRunner opt-outs do work,
and it appears that, as in the Verizon case, there is nothing
currently stopping people from running their own BIND or directing
their client systems to other DNS services.

Frankly, I find default DNS diversion, even with opt-outs and
available workarounds, to be distasteful and annoying at best, and a
clear "camel's nose under the tent" in terms of potentially taking
advantage of subscribers, especially those who are unlikely to know
how to manipulate their own DNS settings.  These cases don't rise to
the obnoxiousness level of VeriSign's infamous "Site Finder"
service, but seem to be another step toward pushing the envelope ever
farther in the wrong direction.  If ISPs wish to provide such DNS
diversion services, they should be *opt-in* only.  But we all know
why they don't do that.

NNSquad Moderator

Re: [ NNSquad ]  DNS Interception by ISPs (was Verizon P2P discussion)
Fri, 14 Mar 2008 20:45:44 -0500
Feel free to repost or reuse this as you see fit.

I confirmed that the opt out feature was removed with Verizon tech  
support and residential sales on March 6th.  They were unable to tell  
me when the opt out feature was removed.  I know that it was not  
working after Thanksgiving of 2007.  Previously, FIOS users had to  
modify their (Verizon supplied) router configuration to use alternate  
DNS servers that did not have the redirection feature.  Now, it is not  
possible to do that because DHCP leases are short and are not  
renewable.  In short, FIOS users *will* be assigned IP addresses in  
different subnets when their lease expires and will not be able to  
access Verizon DNS servers in another subnet.  FIOS users are required  
to accept DHCP-assigned DNS servers on the router, all of which have  
the redirection feature.

Supporting article: 
  (The timing mentioned in the article matches my observations.)

Verizon appears to have removed the FIOS-specific opt-out instructions  
from their support site.  There are three other examples remaining:

Based on my discussion with residential sales, the behavior is the  
same for both DSL and FIOS customers.  The only above-board solution  
is to get a statically-assigned IP address which is only available as  
part of the business class service.  Based on pricing that I received  
from Business sales on March 6th or 7th, that costs approximately $94/ 
mo in the DFW Texas area.  That is about twice the cost of residential  
FIOS service.  I did not ask for the price difference for DSL service.

The workaround is for FIOS/DSL customers to configure their own  
computer systems not to use their Verizon-supplied router as the local  
DNS server.  I have a local instance of bind running on my Macintosh.   
Verizon does not appear to interfere with recursive resolution.  My  
windows laptop also uses the Mac as a resolver.  I have also tested  
using as a DNS resolver and that works fine.


