Frontier Search Hijacking

This note describes how Frontier Communications hijacked Google search queries.

NOTE: As of ~May, 2011, Frontier has (as best I can tell) stopped all hiijacking and proxying of Google search queries. Use this tool from Berkeley to audit your connection.

I noticed this behavior recently when visiting relatives in West Virginia. My Google searches for "amazon" (from the Safari search bar) were landing on Amazon's home page directly, NOT showing a Google search results page as I expected.

ISPs have redirected DNS queries for a while, but have mostly focused on typos and misspellings. I've never seen an example of an ISP actually hijacking a user's Google search, and inserting their own results, and that seems pretty egregious to me.

NOTE: I contacted Frontier Communications and I heard back immediately from Maggie Wilderotter, the CEO. She said that this had been done by one of their vendors, in violation of Frontier's business rules, and it's been shut down. In subsequent discussions with folks at Frontier, they seem to be still proxying Google queries (without hiijacking) by directing www.google.com to their own servers, but are re-evaluating this practice as well (as of April, 2011).

Related:

• My original blog post on this topic
• A related problem for Frontier subscribers in WA (by proxying, the ISP is concentrating the search traffic from a smaller number of IP addresses, making it more likely to trigger Google's rate-limiting checks)

Google Search Hijacking

Frontier's IP provisioning (over DSL) offered two DNS servers: 66.133.129.180 and 151.203.0.84.

Both were returning results for www.google.com that pointed to Fronter's servers, not Google. For example:

payne@house ~ $ dig  @66.133.129.180 www.google.com
 
; <<>> DiG 9.7.1 <<>> @66.133.129.180 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11830
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
 
;; QUESTION SECTION:
;www.google.com.                                    IN            A

;; ANSWER SECTION:
www.google.com.                        60            IN            A              66.133.183.170

;; AUTHORITY SECTION:
www.google.com.                        65535            IN            NS             WSC2.JOMAX.NET.
www.google.com.                        65535            IN            NS             WSC1.JOMAX.NET.

;; Query time: 31 msec
;; SERVER: 66.133.129.180#53(66.133.129.180)
;; WHEN: Wed Dec 29 22:47:54 2010
;; MSG SIZE  rcvd: 104

Note: I saw these results as well from queries outside Frontier's network. However, the hijacking as since been shut down (as of January 2). Fronter's servers now return correct results:

payne@house ~ $ dig  @66.133.129.180 www.google.com

; <<>> DiG 9.7.1 <<>> @66.133.129.180 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5013
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         200744  IN      CNAME   www.l.google.com.
www.l.google.com.       120     IN      A       72.14.204.104
www.l.google.com.       120     IN      A       72.14.204.147

... etc ...

So queries made to www.google.com are directed instead to Fronter's server at 66.133.183.170 (ple-wv01.roch.ny.frontiernet.net)

This server seems to mostly pass through queries to Google, but a few are intercepted and redirected to another of Frontier's servers. For example, a search for "amazon" is hijacked and redirected:

payne@house ~ $ wget --header="Host: www.google.com" 'http://66.133.183.170/search?client=safari&ie=UTF-8&q=amazon'
--2011-01-02 10:35:08--  http://66.133.183.170/search?client=safari&ie=UTF-8&q=amazon
Connecting to 66.133.183.170:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://service1.searchguide.frontier.com/search?qkf=amazon&sid=001vB79EA5JmEEtSmS&rg=DOM2&ri=GT03&encu=U2FsdGVkX19XQ6tFCko0wcCBUjeT6S%2FURc%2B0rxZUXF5zHOCnemowRFCZczUon3NAM8v664%2BR4UY1%0AAQKUNVnyYOOwTC8ew4UtNj%2BJLrGm7wg%3D%0A

In turn, that query is redirected to Amazon's home page with Frontier's Amazon affiliate code inserted (frontiercomm-20):

HTTP request sent, awaiting response... 302 Document has moved
Location: http://www.amazon.com/gp/redirect.html?ie=UTF8&location=http%3A%2F%2Fwww.amazon.com%2F&tag=frontiercomm-20&linkCode=ur2&camp=1789&creative=9325 [following]
--2011-01-02 10:36:30--  http://www.amazon.com/gp/redirect.html?ie=UTF8&location=http%3A%2F%2Fwww.amazon.com%2F&tag=frontiercomm-20&linkCode=ur2&camp=1789&creative=9325
Resolving www.amazon.com... 72.21.194.1

 ... etc...

The net result: a user Googling "amazon" would normally see a Google results page. Instead, Fronter subscribers (while this hijacking was in place) would instead get the Amazon home page, with Frontier's affiliate code inserted (presumably in an attempt to get commission payments from Amazon).

As of late April, 2011, Frontier is provisioning two DNS servers for West Virginia: 66.133.170.2 (in Rochester, NY) and 199.224.64.202 (in Dallas, PA). (Note: Frontier's "official" DNS servers are listed here).

All Frontier DNS severs appear to be pointing www.google.com to Frontier's own servers, but Frontier asserts they are merely proxying, not hijacking.

How to Prevent

One easy way to avoid ISP hijacking is to use public DNS servers, such as Google's. For more information, see Google Public DNS.

You would usually configure these in your router, or on each individual computer.