Phorm and Cookies

James Firth ukcrypto at chiark.greenend.org.uk
Thu, 3 Apr 2008 10:01:00 +0100 

On 02 April 2008 21:32, Ian Batten wrote:
> On 21 Mar 2008, at 11:24, Dave Howe wrote:
> > Ian Batten wrote:
> >> On 21 Mar 08, at 1050, Dave Howe wrote:
> >>> Charles Lindsey wrote:
> >>>> Moreover, I have even seen it suggested that BT may be fiddling
> >>>> with the DNS so as to thwart those who try to block their
> >>>> machines from speaking to webwise (BT customers might be well
> >>>> advised to buy their DNS service from someone other than BT).
> >>>
> >>> .. assuming BT doesn't simply redirect packets to competing DNS
> >>> providers to their own as well...
> >>>
> >> Which would surely be Computer Misuse Act stuff?
> >
> > IIRC, they already do this for packets on port 25. 53 is "just
> > another number" :)
> 
> 
> Actually, they don't appear to.  I happened to want to test a new
> mailserver at work, and I telnet'd to port 25 on it from home quite
> happily.    I've just checked the DNS by doing `dig
> @offsite.batten.eu.org ns .' from my home machine, while running
> tcpdump on a batten.eu.org machine located elsewhere, and
> 
> 21:28:53.040400 host86-146-XXXX.range86-146.btcentralplus.com.58641 >
> XXXX.batten.eu.org.domain:  50146+ NS? . (17)
> 21:28:53.182720 XXXX.batten.eu.org.domain > host86-146-
> XXXX.range86-146.btcentralplus.com.58641:  50146- 13/0/14 NS M.ROOT-
> SERVERS.NET., (500) (DF)
> 
> So I don't believe my BT residential broadband connection is hijacking
> either port 25 or port 53.
> 

If ISPs do block ports it is usually only inbound traffic, i.e. servers you
run from home.  It has been rumoured that outbound traffic has been
intercepted for certain port numbers at the height of worm attacks such as
Doom and Netsky.

As far as I can tell, blocking traffic (i.e. refusing to pass messages)
based on IP port numbers is completely legal.  The ISP is choosing only to
implement certain services, distinguishable by traffic information in the IP
header.

HOWEVER I sincerely hope that there are no ISPs who are surreptitiously
redirecting outgoing DNS requests intended for third-party name servers and
handling them internally.  I know this is analogous to HTTP caching but
caching is defined in the HTTP protocol and not in DNS.

Anyone with any firm evidence of this would be welcome to pass to me or the
list.  I would be outraged.