While it may seem like all I write about these days is Rogers, it’s really the only thing I’ve been dealing with on the service provider front. All my other corporate relations have been going well: I pay people money and they provide a service without bothering me unduly. (I must congratulate the wireless business for their 6GB data plan extension and forthcoming reasonably priced data packages, although one could make the case that Telus and Bell really forced them into it.) This time, it’s about the Internet side of the equation.
Beginning July 18th, Rogers began implementing a provider-wide SiteFinder-style service, where users are redirected to a “search” page with sponsored results for mistyped and nonexistent domains. On a technical level, I fundamentally disagree with this change: it breaks the concept of NXDOMAIN (a useful “domain does not exist” response) and makes things much more difficult to troubleshoot with respect to network architecture. The only reason I haven’t bitched and whined about this much earlier is that I’ve been using OpenDNS for completely unrelated reasons. It was only when my roommate Alex complained about VPN connectivity that I actually looked into the issue.
It turns out that Rogers’ marketing effort completely bricks internal domain resolution for a lot of common VPN clients, including the default Windows XP offering. So if your company, like many others, has internal domains such as corpweb.example.com, Rogers’ search will open up with the terms “corpweb example” at the minimum. This practice has data exposure implications: not only does Rogers now know about an internal domain you’re trying to access, but a third party provider like Yahoo now knows.
If you were an employee of a competing search engine and trying to VPN from home, Yahoo would now know something about your internal network structure; this is bad news all around. Hitting a favourite or quick launch link to corpweb.example.com/livelink/llsapi.exe?doc=Network_Security_Breach_Sept0408.doc would reveal the choice of LiveLink as a corporate CMS, a dependence on Microsoft Word and a document detailing a potentially classified incident.
OpenDNS isn’t any better by default, either. They redirect search results and mistyped domains, and in the process intercept VPN traffic. To get around this, you have to create an account and blacklist corporate VPN connections from “helpful results” on a per-domain basis. The solution also involves downloading and maintaining a dynamic IP address update client, or setting a Tomato-enabled router to perform the same task.
What I’ve done for now is listened to the accurate advice on trevoro.ca and changed my primary Rogers DNS server to an unadvertised IP address: altdns.rnc.net.cable.rogers.com, or 126.96.36.199. This server seems reasonably quick for name resolution and returns proper responses when a domain is not found, allowing VPN software to resolve internal addresses.