Frontier Search Hijacking

From Wiki

This note describes how Frontier Communications hijacked Google search queries.

NOTE: As of ~May, 2011, Frontier has (as best I can tell) stopped all hiijacking and proxying of Google search queries. Use this tool from Berkeley to audit your connection.

I noticed this behavior recently when visiting relatives in West Virginia. My Google searches for "amazon" (from the Safari search bar) were landing on Amazon's home page directly, NOT showing a Google search results page as I expected.

ISPs have redirected DNS queries for a while, but have mostly focused on typos and misspellings. I've never seen an example of an ISP actually hijacking a user's Google search, and inserting their own results, and that seems pretty egregious to me.

NOTE: I contacted Frontier Communications and I heard back immediately from Maggie Wilderotter, the CEO. She said that this had been done by one of their vendors, in violation of Frontier's business rules, and it's been shut down. In subsequent discussions with folks at Frontier, they seem to be still proxying Google queries (without hiijacking) by directing to their own servers, but are re-evaluating this practice as well (as of April, 2011).


Google Search Hijacking

Frontier's IP provisioning (over DSL) offered two DNS servers: and

Both were returning results for that pointed to Fronter's servers, not Google. For example:

payne@house ~ $ dig  @
; <<>> DiG 9.7.1 <<>> @
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11830
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;                                    IN            A

;; ANSWER SECTION:                        60            IN            A    

;; AUTHORITY SECTION:                        65535            IN            NS             WSC2.JOMAX.NET.                        65535            IN            NS             WSC1.JOMAX.NET.

;; Query time: 31 msec
;; WHEN: Wed Dec 29 22:47:54 2010
;; MSG SIZE  rcvd: 104

Note: I saw these results as well from queries outside Frontier's network. However, the hijacking as since been shut down (as of January 2). Fronter's servers now return correct results:

payne@house ~ $ dig  @

; <<>> DiG 9.7.1 <<>> @
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5013
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 4

;                        IN      A

;; ANSWER SECTION:         200744  IN      CNAME       120     IN      A       120     IN      A
... etc ...

So queries made to are directed instead to Fronter's server at (

This server seems to mostly pass through queries to Google, but a few are intercepted and redirected to another of Frontier's servers. For example, a search for "amazon" is hijacked and redirected:

payne@house ~ $ wget --header="Host:" ''
--2011-01-02 10:35:08--
Connecting to connected.
HTTP request sent, awaiting response... 302 Moved Temporarily

In turn, that query is redirected to Amazon's home page with Frontier's Amazon affiliate code inserted (frontiercomm-20):

HTTP request sent, awaiting response... 302 Document has moved
Location: [following]
--2011-01-02 10:36:30--
 ... etc...

The net result: a user Googling "amazon" would normally see a Google results page. Instead, Fronter subscribers (while this hijacking was in place) would instead get the Amazon home page, with Frontier's affiliate code inserted (presumably in an attempt to get commission payments from Amazon).

As of late April, 2011, Frontier is provisioning two DNS servers for West Virginia: (in Rochester, NY) and (in Dallas, PA). (Note: Frontier's "official" DNS servers are listed here).

All Frontier DNS severs appear to be pointing to Frontier's own servers, but Frontier asserts they are merely proxying, not hijacking.

How to Prevent

One easy way to avoid ISP hijacking is to use public DNS servers, such as Google's. For more information, see Google Public DNS.

You would usually configure these in your router, or on each individual computer.

Personal tools