Home > Anti-Inspiration, Civil Rights, Security > Backups.backupdb, Little Snitch and obnoxious ISP help

Backups.backupdb, Little Snitch and obnoxious ISP help

So, Little Snitch, which you need to buy, understand, and use, picked up a late-night habit of reporting attempts to connect to Backups.backupdb.  It bothered me. I did some digging. I was late to the party because my ISP had made a change I hadn’t noticed.

Apparently, for reasons unknown (to me anyway), Time Machine goes looking for a thing called ‘Backups.backupdb’ via sun.rpc and will seek this as if it were a host in the mythical top level domain .backupsdb even when Time Machine is turned off.

The reason Little Snitch reports an attempt to connect to an actual host is because some weasel at my ISP decided that hijacking my typos of domain names in browsers etc. was a revenue opportunity. To them, my typo was a great excuse to run a search and show me the results on a page full of ads instead of just returning NXDOMAIN and letting my browser say “I can’t find the host you typed you fumblefingered fathead’ like it should.

Because, they want to show me ads, any domain, even non-existent domains, ‘resolve’ and a web server spams me with the aforementioned ‘help’ fixing my typo with search results that could be useful for what they think I meant to type alongside a bunch of ads to cover the cost of being so nice to me. SunRPC having been told that yes, somebody is out there listening, proceeds, presumably, to try and shovel my files off to it for safe keeping. Little Snitch asks me and I say “Deny”.  Noticed something here? Little Snitch’s job is to tell you when anything initiates a connection you didn’t explicitly ask for and get permission. Think software might be phoning home? Little Snitch will catch it. Think you have a trojan? Little Snitch will catch it.

How did I end up with this non (sub) standard DNS? I didn’t choose to use OpenDNS because I don’t need yet another intermediary in my life and I don’t need content filtering.  My ISP decided to make DNS a revenue opportunity. The fix, such as it is, seems to be working. I now use the IP’s of the real name servers at my ISP and not the ones run by these ‘moenitizers‘ .

So, conclusions:

  1. Get Little Snitch.
  2. Check to see if your ISP is ‘helping you out’ by returning search results when you typo a domain. Not a file location but the domain name. (The stuff that goes between the http:// and the next /)
  3. Complain to them about the ‘help’
  4. Find out how to access their real domain name servers and not the ones they are using to show you ads.
  5. Poke at Apple to make Time Machine be actually off when you turn it off.
  6. Poke at Apple and try and get an answer for why, on or off, users don’t have a readily available control to say “don’t go to the network”.
  7. Read these links and learn more about this.

Wired story about what Dan Kaminsky found by way of a security hole you could drive a bus through with this sort of ‘helpful service’.
An Advisory from the ICANN Security and Stability Advisory Committee (SSAC) July 2004
An Advisory from the ICANN Security and Stability Advisory Committee (SSAC) June 2008
This Blog Post from Mac Lab

This thread on Macintouch
Schneier on Security – Hacking ISP Error Pages

Finally, tell me if you learn more about this issue, I and others would like to know.

Oh, and Apple? More granular control of Time Machine, even if buried under an ‘Advanced Options’ button or something would be very nice. K’ Thanks Bye!

Post to Twitter Post to Facebook

Categories: Anti-Inspiration, Civil Rights, Security Tags:
  1. sherm
    September 18th, 2010 at 10:24 | #1

    Mac OS X is UNIX – run your own name server! :-)

    Start a root shell with “sudo bash”. Then, as root:

    rndc-confgen > /etc/rndc.conf
    head -n 6 /etc/rndc.conf > /etc/rndc.key

    Add a “forwarders” section to the “options” section of /etc/named.conf, so it looks like this:

    options {
    directory “/var/named”;
    forwarders {
    128.8.10.90;
    };
    };

    128.8.10.90 is one the 13 root servers. I use it because it’s physically close, at the U of Maryland. Named will only hit the root server if it has no local record, or if its local record is stale.

    The named launch daemon is disabled by default, so edit /System/Library/LaunchDaemons/org.isc.named.plist and change the value for the “Disabled” key to False.

    Finally, in the Network pane of System Preferences, set your DNS Server to 127.0.0.1. You can also point other machines on your LAN to your new local DNS server.

    Not only does this prevent DNS requests from being “hijacked,” it makes a noticeable difference in speed, especially if your ISP’s DNS servers perform badly.

  2. sherm
    September 18th, 2010 at 10:29 | #2

    especially if your ISP’s DNS servers perform badly.

    Incidentally, you’ll be surprised at how often that turns out to be the case. Quite often, an ISP’s “outage” is nothing more than their DNS servers going AWOL, or slow performance the result of them being overloaded.

  3. September 18th, 2010 at 11:11 | #3

    You have very strong Kung Fu Sherm!

    And, yeah, actually I think they started using that ‘service’ after a stretch of DNS outages.

    I wonder if this might be useful even on an ‘as needed’ basis like if one is using uncertain networks. Run your own DNS, use SSL/SSH for everything and reduce risk of being man-in-the-middled?

    Of course, everyone hitting the root servers kinda undermines the whole point of distributed name service so, all other things being equal, I think I’d encourage people to pester their ISP’s to provide unpolluted DNS and keep a stash IPs for other trusted severs on file.

  4. sherm
    September 18th, 2010 at 11:33 | #4

    @Jon Alper
    You don’t have to use the root servers – you could use the real name servers from your ISP if you’d prefer. You’ll get the performance benefit either way.

You must be logged in to post a comment.