4

First question here. I had a problem with my Internet provider's modem, model Sagecom F@st 3890v3. The problem was that it pointed the device DNS Suffix to utopia.net

Comcast had this problem (utopia.net hijack), now my Internet Provider is having the same problem. The first time I called them they didn't want to change me anything, so I needed to call some more times, escalate, and finally I got a new modem from them but I filed a claim in the Consumer Protection local website anyway. There are a lot of people here having the same problem!!

Story short, the people at Consumer Protection don't have technicians who can assure that having a DNS suffix that don't point to the provider's servers (pointing to a "strange" server) can do something bad to your internet safety.

So I looked everywhere, read a lot of info, and I still can't understand what happens when you have your DNS Suffix not pointing to a trustable server. I tried to understand the concept of DNS Suffix, but I don't really get it... I know what a DNS, etc. I work as and IT in a small company.

I would like someone who can explain me deeply about all this.

Thank in advance!

Dan Chelger
  • 43
  • 1
  • 1
  • 4

1 Answers1

7

The DNS suffix is automatically appended to all domain names when making a DNS lookup. (That's why it is called a "suffix", and there's nothing more to it.) This parameter is announced via DHCP to all hosts on the network.

For example, if a company office has a server called "app.example.com", they can announce DNS suffix "example.com" via DHCP and the same server becomes accessible simply as "app". Whenever you visit http://app/ the OS will automatically try http://app.<DNS_suffix>/ instead, saving employees a bit of unnecessary typing.

(The same goes for home routers, which often have a DNS suffix like "lan" or "home" and use it to let you access your local computers and other devices by name.)

However, various operating systems do it somewhat differently:

  • You could argue that it only makes practical sense to append the DNS suffix to names which have no dot in them at all (e.g. app but not app.co.uk), and that's what Linux does.
  • And you could argue that it is technically correct to append the DNS suffix to any name that doesn't end with a dot, even if it has multiple dots internally, and that's what Windows does.

The Windows behavior, while technically correct (only names ending with a . are "absolute"), is what makes the DNS suffix hijacking a real problem – because nearly 100% of domain names in use by programs do not end with a ., and therefore will have the DNS suffix appended.

For example, when you visit http://google.com/ (as a Comcast user), the browser will try accessing the domain google.com.utopia.net. before the real google.com., and you can see that the former is at the mercy of whoever controls utopia.net.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • Thanks! So, why when I checked which DNS my modem was using http://www.whatsmydnsserver.com/ or sites like that, the DNS was the one of my provider but not utopia.net? And by the way, can you recommend me some technical papers about this so I can send them to the Consumer Protection people? :) – Dan Chelger Sep 12 '19 at 05:51
  • Because the "DNS suffix" has absolutely nothing to do with the DNS servers you're using. It changes _what names_ the OS will try to resolve, not _where_ it'll send the queries. – u1686_grawity Sep 12 '19 at 06:04
  • Perfect! Is there any way I can test if my computer is sending that Suffix to the DNS servers when I try to access domains like google.com? – Dan Chelger Sep 12 '19 at 06:42
  • Yes, I'd say [Wireshark](https://www.wireshark.org) or some other packet capture tool will be easiest. Start a capture (you can enter a capture filter `port 53` before starting, or a display filter `dns` while the capture is already running), then do something like `ping google.com` or visit the site through a browser. – u1686_grawity Sep 12 '19 at 06:48
  • Wow! Installed and trying. I'll try to find a hijacked modem and do some testiong with it. Really thanks! – Dan Chelger Sep 12 '19 at 07:50
  • It doesn't necessarily have to be hijacked, most home routers already have some generic DNS suffix like .lan or .home preconfigured (but handled internally to the router so it's safe), and most allow changing it manually to any suffix you want. In fact it doesn't have to be a router – Windows lets you set the DNS suffix manually (for each interface it's next to where you configure the DNS servers). – u1686_grawity Sep 12 '19 at 08:30
  • To see the suffix that get appended, use "nslookup" and enter the line "set debug=yes" before you perform a lookup. Now when you do a lookup you'll see dns debug information which will show you the questions send to the DNS sever. – Tom Rutchik Oct 14 '22 at 20:41