[conspire] Another DNS trick: Making domains go away
Daniel Gimpelevich
daniel at gimpelevich.san-francisco.ca.us
Sat Jun 10 04:05:43 PDT 2006
There have apparently been three changes to the file since this posting:
//"googleadservices.com" are Internet advertisers (Google, Inc.).
// As with yimg.com (which see), techtarget.com is a mixed bag, of
// advertising and legitimate news. All of these are judgement calls, folks.
//
////"techtarget.com" are Internet advertisers (TechTarget, Inc.).
// The blackhoing of yimg.com is commented out (disabled) because it turns
// out that the site carries not only advertising but also still images
// from commercial movies. The point is worth noting: I've tried to
// blackhole only domains I believe to be utterly worthless (offering
// nothing but advertising), but there's alway the possibility that I'm
// misinformed.
//
// //yimg.com must die, too; same reasons as for Doubleclick (Yahoo, Inc.).
Not sure what "blackhoing" is...
On Wed, 14 Dec 2005 18:04:50 -0800, Rick Moen wrote:
> One of the invited talks at the 2005 LISA conference was "Internet
> Counter-Intelligence: Offense and Defense", by Lance Cottrell, head of
> Anonymizer, Inc. In part, he detailed what one might term just how low
> Internet-using companies tend to go, in their manipulation of their
> customers through technical means. Jim Dennis, who was attending with
> me, also found the talk very worthwhile and technically valuable, but
> mentioned as we left that his biggest reaction was one of irritation --
> not at Cottrell, but rather at Internet businesses.
>
> Cottrell went into a fair amount of detail about how a surprisingly high
> percentage of firms deploy user-tracking and IP-geolocation services to
> ensure their ability to set differential pricing. In part, that means
> offering lower prices in some places than others: He gave the example
> of a real-life purchase of some expensive computer gear that the same
> firm offered at _twice_ the price to people browsing from European IP
> addresses than to those coming from American IPs.
>
> Mostly, though, the firms work really hard to ensure that competitive,
> attractive pricing is offered _only_ to newer customers, and that they
> gradually (but invisibly) jack up greatly the prices offered to you
> once you're an established customer. He commented: Forget about
> rewarding customer loyalty. The opposite is the general rule.
>
> There's some danger that you, reading this, might think the syndrome
> occurs with companies some _other_ people deal with, in part because I
> can't remember many of the numerou everyday company names he cited: I
> remember that Amazon.com and Barnes & Noble were among them, and many
> others -- and we're not talking trivial price differences, either.
>
> To Cottrell's credit, he didn't present this talk primarily as a sale
> pitch for Anonymizer's proxying service, that among other things
> completely hides your network location. But because of his experience
> with that project, his analysis was fully credible.
>
>
> On the drive back from LISA, aspects of Cottrell's talk (of which there
> were others, such as IP-blocking and forging for political and business
> reasons, information leakage, and the uses of those data in competitive
> business intelligence efforts) kept colliding in my head with a
> longstanding project of mine:
>
> Many, many years ago, I started wanting for various reasons to want to
> make particular hostnames, domains, and IP addresses evaporate from my
> experience of the Internet. Among the first Internet entities to annoy
> me to that extent was Doubleclick.net (now owned by Microsoft
> Corporation). Around the 1980s, something they were doing annoyed me
> enough that they were the first crash-test dummy for my "make things go
> away" project. At first, this was in /etc/hosts and similar
> static-lookup files, which on account of some obvious drawbacks didn't
> work too well:
>
> 127.0.0.2 ad.doubleclick.net
> 127.0.0.3 missed-me.doubleclick.net
> 127.0.0.4 another-one.doubleclick.net
> 127.0.0.5 tom.doubleclick.net
> 127.0.0.6 dick.doubleclick.net
> 127.0.0.7 harry.doubleclick.net
>
> This sort of thing made a huge number of banner ads (etc.) go away, by
> mapping their hostnames to my loopback network interface, but the supply
> of new hostnames was endless, plus it helped only that one machine (that
> had the /etc/hosts file), plus it didn't catch traffic fetched by IP
> address.
>
> The more-comprehensive solution (including catching references by IP) was
> something elaborate like Junkbuster, but I wanted to see if there was an
> easy 95% solution.
>
>
> Pretty soon, I remembered: "Oh, wait! I run a DNS nameserver." Which
> provided an easy way to make all of *.doubleclick.net go bye-bye, in
> one easy step, inside /etc/bind/named.conf.local:
>
> //doubleclick.net must die. Internet advertisers (DoubleClick, Inc.).
> zone "doubleclick.net" {
> type master;
> allow-query { any; };
> file "/etc/bind/advertisers.zone";
> };
>
> Even if you never create /etc/bind/advertisers.zone at all, it still
> works because you've said "Pay no attention to any other nameserver's
> information about Doubleclick.net hostnames: I know all." But here's
> the advertisers.zone file I created, anyway:
>
> $TTL 86400
> ;Generic make-advertisers-go-away zonefile. Put YOUR IP address in the
> ;A line, and YOUR nameserver name in the NS line.
> @ IN SOA ns1.linuxmafia.COM. rick.deirdre.NET. (
> 2005112300 ; serial
> 7200 ; refresh 3 hours
> 3600 ; retry 1 hour
> 2419200 ; expire 1000 hours
> 86400 ; minimum 24 hours
> )
> ;
> IN NS ns1.linuxmafia.com.
> * IN A 198.144.195.186
>
> The wildcard "A" line resolves *.doubleclick.net to my hostname. You
> could of course map it to somewhere else creative, or whatever you wish.
> The point is, _no_ call to those hostnames to pick up a cookie, a banner
> ad, a "Web bug" (or "beacon") 1x1 pixel GIF, or anything else is going
> to get out to those bloodsuckers. Effectively, they get summarily and
> completely vanished.
>
>
> Over the years since the '80s, occasionally one of those firms would
> come to my attention with some "cute" variation on Doubleclick.net's
> advertising-blitz-and-spy-on-users business model, and get dropped into
> the same oubliette. "yimg.com" (Yahoo Images) was an early addition.
>
> You learn some of the euphemisms as you go along: Some of the firms
> sell "market intelligence", "research", "Web metrics", "dynamic personal
> messages", "measured response", "targeted promotions", and so on.
>
> Now, I certainly can't spend significant time on this stuff: I don't
> have that time to waste. However, I'm occasionally willing to devote a
> little on a high-bang-for-the-buck basis, especially if I can "bottle"
> what progress I've made, and offer it up to others. Thus this posting:
>
>
> As I've found domains used entirely or almost entirely for the more
> scummy sorts of Internet-spying and advertising activities, I've
> been declaring my nameserver "authoritative" for them in exactly the way
> shown above for doubleclick.net -- which means they get included in my
> prototype BIND9 example files, that I publish for the public's benefit.
>
> If you want to see the whole set, in a format that can be dropped
> effortlessly into BIND8/BIND9 nameserver configurations, download
> http://linuxmafia.com/pub/linux/network/bind9-examples-linuxmafia.tar.gz
>
> Following is the comments lines (only) from the "make domains go away"
> section of /etc/bind/named.conf.local :
>
>
>
> //Domains Killed Dirt Cheap:
> //(advertising and similar domains mapped via local DNS to nowhere at all)
>
> //"2o7.com" issues traffic-tracking cookies (run by Omniture, Inc.).
>
> //"360i.com" are Internet advertisers (360 Integrated, run by 360i LLC.).
>
> //"3dstats.com" are Web-bug advertisers (ImagineNET Company)
>
> //"ad-up.com" are Internet advertisers and sell e-mail address lists
> // (Ad-Up Corporation).
>
> //"adbot.com" were big Internet advertisers, but went broke and are now
> // probably harmless: Owned by Cameron Gregory, Web/Java developer.
>
> //"adjuggler.com" are Internet advertisers (Thruport Technologies, Inc.).
>
> //"adknowledge.com" are Web-bug advertisers (Adknowledge, Inc.).
>
> //"adlegend.com" are Web-bug advertisers (run by TruEffect, Inc.).
>
> //"adrevolver.com" are Web-bug advertisers (run by BlueLithium, Inc.).
>
> //"adriver.ru" are Internet advertisers
>
> //"adserver.com" are Internet advertisers (Fastclick, Inc.).
>
> //"adsmart.com" are Internet advertisers (run by Web holding company CMGI).
>
> //"adtech.de" are Internet advertisers (ADTECH AG).
>
> //"alexa.com" are Internet advertisers (Alexa Internet, Inc.)
>
> //"advertising.com" are Web-bug advertisers (Advertising.com, Inc.).
>
> //"apmebf.com" are Web-bug advertisers (part of ValueClick, Inc.).
>
> //"atdmt.com" issue traffic-tracking cookies (part of Atlas,
> // division of aQuantive, Inc.).
>
> //"atlas.cz" are Czech-language Internet advertisers (ATLAS.CZ, a.s.).
>
> //"atwola.com" are Web-bug advertisers (part of AOL, Inc.).
>
> //"belnk.com" are Internet advertisers (BehaviorLink, in Claria's Vista
> //division).
>
> //"bfast.com" are Internet advertisers (part of ValueClick, Inc.)
>
> //"bizrate.com" are Internet advertisers (Shopzilla, Inc.).
>
> //"blm.net" are Internet advertisers (BrowserMedia, LLC).
>
> //"bluelithium.com" are Internet advertisers (BlueLithium, Inc.).
>
> //"bluestreak.com" are Internet advertisers (Bluestreak, Inc.).
>
> //"bravenet.com" issue traffic-tracking cookies (Bravenet Web Services Inc.).
>
> //"burstnet.com" are Internet advertisers (Burst Media LLC).
>
> //"burstbeacon.com" are Internet advertisers (Burst Media LLC).
>
> //"casalemedia.com" are Internet advertisers (Casale Media, Inc.).
>
> //"centrport.net" are Internet advertisers (CentrPort, Inc.).
>
> //"checkm8.com" are Internet advertisers (Checkm8 Technologies, Inc.)
>
> //"clickability.com" are Internet advertisers (Clickability, Inc.)
>
> //"clicktracks.com" issue traffic-tracking cookies (ClickTracks Analytics Inc.)
>
> //"clickz.com" issue traffic-tracking cookies (Incisive Interactive Marketing,
> //LLC).
>
> //"cnnaudience.com" are Internet advertisers (Turner Broadcasting System, Inc.)
>
> //"contextweb.com" are Internet advertisers (ContextWeb, Inc.).
>
> //"coremetrics.com" are Internet advertisers (Coremetrics, Inc.).
>
> //"criticalmass.com" are Internet advertisers (Critical Mass, part of
> // Omnicom Group, Inc.).
>
> //"did-it.com" are Internet advertisers (Did-it.com, LLC).
>
> //"dogpile.com" are Internet advertisers run by infospace.com (InfoSpace, Inc.).
>
> //"domainsponsor.com" are Internet advertisers (Oversee.net)
>
> //doubleclick.net must die. Internet advertisers (DoubleClick, Inc.).
>
> //"esomniture.com" are Web-bug publishers (Omniture, Inc.).
>
> //"falkag.net" are Internet advertisers (Falk eSolutions AG).
>
> //"fastclick.com" are Internet advertisers (Fastclick, Inc.).
>
> //"fastclick.net" are Internet advertisers (Fastclick, Inc.).
>
> //"focalink.com" are Internet advertisers (Focalink Communications).
>
> //"gemius.pl" issue traffic-tracking cookies (Gemius S.A.)
>
> //"gureport.co.uk" issue traffic-tracking cookies (Guardian Newspapers, Ltd.)
>
> //"hitbox.com" are Web-bug publishers (WebSideStory, Inc.).
>
> //"hitslink.com" are Web-bug publishers (Net Applications, Inc.).
>
> //"hitsprocessor.com" are Web-bug publishers (Net Applications, Inc.).
>
> //"humanclick.com" are Internet advertisers (LivePerson, Inc.).
>
> //"imrworldwide.com" are Internet advertisers (NetRatings, Inc., in
> //collaboration with AC Nielsen and Nielsen Media Research).
>
> //"indextools.com" are Internet advertisers (IndexTools, Inc.)
>
> //"information.com" are Internet advertisers (Oversee.net)
>
> //"infospace.com" serve up ads from ads.infospace.com (InfoSpace, Inc.).
>
> //"insightexpressai.com" are Internet advertisers (InsightExpress, LLC).
>
> //"itadnetwork.co.uk" are Internet advertisers (Net Communities Limited)
>
> //"kanoodle.com" are Internet advertisers (Kanoodle.com, Inc.).
>
> //"linkexchange.com" come across as sleazemeisters. Advertisers dealing
> // in questionable page-rank deals (Microsoft Corporation).
>
> //"liveperson.com" are Internet advertisers (LivePerson. Inc.).
>
> //"liveperson.net" are Internet advertisers (LivePerson. Inc.).
>
> //"maxserving.com" are Internet advertisers (Ask Jeeves, Inc.).
>
> //"medialand.ru" are Internet advertisers (Medialand.Ru, Ltd.).
>
> //"mediaplex.com" are Internet advertisers (Mediaplex, Inc.).
>
> //"myaffiliateprogram.com" are Internet advertisers (KowaBunga Technologies,
> // part of Think Partnership Inc. / CGI Holding Corporation)
>
> //"nbcupromotes.com" are Internet advertisers (NBC/Universal Promotions).
>
> //"netservice.de" are German-language Internet advertisers.
>
> //"nozonedata.com" are Internet advertisers (NoZone, Inc.).
>
> //"nytdigital.com" are Internet advertisers (The New York Times Company)
>
> //"omniture.com" are Web-bug advertisers (Omniture, Inc., the people
> // who run 2o7.com).
>
> //"onestat.com" are a Dutch traffic-tracking company.
>
> //"optimost.com" are Internet advertisers (Optimost LLC)
>
> //"poindextersystems.com" are Internet advertisers (Poindexter Systems, Inc.)
>
> //"pointroll.com" are Web-bug advertisers (run by Gannett Company, Inc.).
>
> //"preferences.com" appear to serve up ads from ads.preferences.com
> // (RHCDirect LLC).
>
> //"questionmarket.com" issue traffic-tracking cookies (Dynamic Logic).
>
> //"realmedia.com" are Internet advertisers (24/7 Real Media, Inc.)
>
> //"remoteapproach.com" collect spy-on-users data from Acrobat 7.x
> // and later for the benefit of Adobe Systems, Inc.
>
> //"revenue.net" are Internet advertisers (Oversee.net)
>
> //"revsci.net" are Internet advertisers (Revenue Science, Inc.)
>
> //"riddler.com" advertise from various subdomains (Riddler LLC).
>
> //"rightmedia.com" are Web-bug advertisers (the people who run yieldmanager.com,
> // Right Media, LLC).
>
> //"ru4.com" are Web-bug advertisers (Pointdexter Systems).
>
> //"sageanalyst.net" are Internet advertisers (sbasoft, Inc./SageMetrics Corp.).
>
> //"seeq.com" are Internet advertisers (BrowserMedia, LLC).
>
> //"serving-sys.com" are Internet advertisers (Ilissos).
>
> //"sitestat.com" issues traffic-tracking cookies (Nedstat BV)
>
> //"smartadserver.com" are Internet advertisers (auFeminin.com SA).
>
> //"specificclick.com" are Web-bug advertisers (SpecificCLICK).
>
> //"specificclick.net" are Web-bug advertisers (SpecificCLICK).
>
> //"spylog.com" issue traffic-tracking cookies (OOO Spylog)
>
> //"statcounter.com" issues traffic-tracking cookies (Aodhan Cullen of Dublin).
>
> //"tacoda.com" are Internet advertisers (TACODA Systems, Inc.).
>
> //"techbuyer.com" are Web-bug advertisers (YesDirect, Inc.)
>
> //"techtarget.com" are Internet advertisers (TechTarget, Inc.).
>
> //"trafficmp.com" are Internet advertisers (Vendare Group, Inc.)
>
> //"tribalfusion.com" are Internet advertisers (Tribal Fusion, Inc.)
>
> //"trueffect.com" are Web-bug advertisers (TruEffect, Inc. the people
> // who run adlegend.com).
>
> //"ultramercial.com" are Internet advertisers (Ultramercial, LLC).
>
> //"valueclick.com" serve up ads from oz.valueclick.com (ValueClick, Inc.).
>
> //"valueclick.net" are Internet advertisers (ValueClick, Inc.).
>
> //"webads.nl" are Internet advertisers (Webads Europe)
>
> //"webstats4u.com" are Web-bug publishers (Web Measurement Servicews B.V.).
>
> //"webtrendslive.com" are Web-bug advertisers (WebTrends, Inc.).
>
> //"wiredminds.com" are Internet advertisers (WiredMinds, Inc.).
>
> //"wiredminds.de" are Internet advertisers (WiredMinds AG).
>
> //"yadro.ru" are Internet advertisers
>
> //"yieldmanager.com" are Web-bug advertisers (run by RightMedia, Inc).
>
> //yimg.com must die, too; same reasons as for Doubleclick (Yahoo, Inc.).
>
> //"zedo.com" are Internet advertisers (ZEDO, Inc.).
>
>
> (Those characterisations aren't very exact, so don't take them as
> gospel. I looked at each domain's known activity just long enough to
> class them as "Should be made to go away", and wrote a quick guess at
> what each one seemed to be mostly about.)
>
> One neat thing is: _Any_ DNS-client machine that uses your nameserver
> will be under your umbrella. Their processes, like yours, will have
> those same bloodsucker domains globally mapped to oblivion.
>
>
> This can be a two-edged sword, given contrary-minded local users: My
> mother-in-law Cheryl, who lives with us and initially had her
> workstations set up to use my nameserver, kept coming to me and
> complaining that she was being blocked from reaching desirable content
> by my proxy.
>
> I explained I had no proxy. She continued to complain, and was certain
> it was my fault.
>
> It occurred to me that I had mapped *.doubleclick.net hostnames to
> nowhere -- but I stressed that there was _nothing_ but undesirable
> crudware ever retrieved from those URLs, and she really shouldn't want
> to have that rubbish back.
>
> She continued to complain: My nameserver was generating "broken links",
> so obviously I must be depriving her of stuff she wants. She knew that
> those those links weren't broken anywhere except from home, so obviously
> I was impairing her Internet experience.
>
> I looked: Indeed, there were 404s being generated (because of the
> particular variety of oblivion I was then mapping the domain to). Every
> one of those 404s was objectively undesirable junk.
>
> She complained. I stressed that I wasn't filtering her Internet traffic,
> just resolving certain domains locally. If she didn't like my
> nameserver policy, she was welcome to use any of millions of others, or
> run her own.
>
> She complained. I reiterated that her shortage of banner ads, Web bugs,
> and spy cookies wasn't my problem.
>
> She complained. I sat down at her machine and repointed them to Raw
> Bandwidth's nameservers.
>
> Moral: No good deed goes unpunished.
>
>
>
> It would be nice if Deirdre had the house Apple Airport base station
> referencing my nameserver IP (only) for the DNS IP that it passes to
> DHCP clients. However, I'm betting it doesn't. Crying shame, that.
>
>
>
> http://linuxmafia.com/pub/linux/network/bind9-examples-linuxmafia.tar.gz
> has one other special feature: a file called "maps-lawsuits".
>
> Many years ago, I managed to make the day of Paul Vixie, DNS expert and
> founder of the anti-spam MAPS Project, Inc., at the end of one of his
> lectures at BayLISA: I told him that, the day Yesmail, Inc. got a
> temporary restraining order against MAPS for announcing an intention to
> put Yesmail's IPs in its DNS blocklist (alleging tortious interference
> in Yesmail's business affairs), I sent an e-mail to several high
> executives at Yesmail and its entire sales department: Paul Vixie and
> MAPSs, I said, would eventually get around to forgiving them for their
> actions. By contrast, I pointed out, they'd just managed to piss off
> just about every sysadmin in the world, and the oceans would dry up, the
> sun would burn out, and the universe would suffer heat death before
> _they_ would either forgive or forget.
>
> Therefore, I said, I predicted a long eternity of their IP addresses
> gracing a large number of sysadmins' null-route lists, and hoped they
> considered the sacrifice worthwhile.
>
> The "maps-lawsuits" file details each of the five firms that sued MAPS
> on what in my view were specious and disreputable grounds -- including,
> in some cases, who owns those firms now. I hope to add specific IP
> address lists, soon.
>
> Being mindful of the restraint-of-trade statutes, I certainly won't tell
> anyone _else_ to null-route those firms' IP addresses. You could, for
> example, send them Christmas cards. Let your conscience be your guide.
More information about the conspire
mailing list