Ben Hayward

ISP NXDomain hijacking

Last week I was working on some ElasticSearch changes for my local work stack, and a blunder on my part bricked my installation. No big deal, we’ve got an installation process to get things back up and running.

So I took the docker containers down, wiped them, ran through our installation steps again, went to localhost and nothing. This was strange. I dug into my docker logs, finding that it was a timeout failure from the nginx container. In it I noticed:

upstream: "http://92.242.132.24:4200/favicon.ico"

Weird, I don’t recognise that IP…

whois barefruit

Who are Barefruit? A little detective work (aka looking at their website) revealed that they are a company who describe their product as “Generating highly targeted traffic by replacing DNS and HTTP errors with relevant advertising”.

Oh boy, that sounds fun. Looking deeper I was lead to a couple of blogs and an article [1][2] which explain how Virgin Media and other ISPs hijack the NXDOMAIN response of requests to drive traffic to Barefruit.

Naively, since moving to Virgin Media I’d never actually looked at the page Virgin were serving me on an invalid request. I checked it, and It’s littered with targeted ads that I’d never bothered to read or think about; looking at the ads, I have most definitely sent data to Barefruit unknowingly. Hidden on the page is an option to turn off their NXDOMAIN hijack which I promptly disabled, and updated my iptables to blacklist their IP.

The question I’m left with is, why was nginx returning this IP as the upstream? I dug down into our docker compose and found the bash function:

add_host_entry() {
  ip -4 route list match 0/0 | awk '{print $3" host.docker.internal"}' >> /etc/hosts
}

Okay, so it’s piping the ip -4 route list match 0/0 into the containers /etc/hosts to set host.docker.internal to resolve to its IP. Looking up the command in the man pages, it seems to be getting the default gateway.

Cross referencing default gateway and Barefruit, I found an old thread[3] that seems to indicate that my ISP is most definitely interfering with my DNS requests. As I’m using Virgin Media’s SuperHub 3 and this no longer allows you to choose your own custom DNS server. In summary, I think I’ll be going into modem-mode and setting my own raspberry pi router in the coming weeks.