DNS redirection (or DNS hijacking, depending on who you ask) is now officially "Comcastic!" after the cable company yesterday began a nationwide deployment of its "Domain Helper" service. The new product, which has been tested in trial markets since July 9, redirects nonexistent URLs like www.clinteckergoatbonedbyhisnewbicycle.com to a search page slathered in advertising instead of returning the proper DNS error to the browser. Readers began reporting the change to us yesterday.

Comcast says that the new service is "here to help you," but critics have made their own feelings clear—"this is a piece of CRAP," wrote one. While purists object to Comcast messing with "proper" DNS behaviors, others don't appreciate what feels like nothing more than an attempt to make money off users misspelling domains.

Domain Helper currently works in cases where a URL includes a properly-spelled top-level domain (such as ".com") at the end and where the site name is not a registered domain name. When activated, Domain Helper redirects users to a comcast.com page that is powered by Yahoo Bing search. The layout of the results, however, suggests that the goals are less about helping you find your intended destination and more about presenting you with ads.

To begin, the redirect page displays "sponsored results" (ads) above its suggestions for your intended destination. To the right, Comcast invites users to "Get More Out of Your Subscription" and to "Upgrade Your Services." To the left, you get "narrow your search" options which favor advertising categories. To its credit, Comcast includes an opt-out, but it's not particularly friendly.

Comcast's opt-out page requires subscribers to enter both an e-mail address and the MAC address from their cable modem. Providing a MAC address to opt-out is not only cumbersome, but to many Joe Sixpack users, it's arcane, and probably not worth the effort. It's less of an opt-out and more of a hassle-out, if you catch our drift.

Comcast does offer a page of explanation, noting that the MAC number is printed on the modem and may begin with any of the following: CABLE, CABLE RF MAC, CM, CM MAC, CMAC, HFC MAC, RF, or RF MAC—which is not at all confusing. The example graphic provided shows a label with two lengthy numbers on it, one beginning with "RF MAC" and the other with "RG MAC." The numbers differ by a single character, but enter the wrong one and you're out of luck, even though both are "MAC" numbers.

Here's how one Comcast user described the opt-out process in a comment made on Comcast Voice, the Official Comcast Blog:

While I realize customers can opt-out of this program, the opt-out procedures are less than simple. To recap my opt-out process, I had to: (a) click a link in an email, (b) enter my Comcast email address, (c) go down into the back part of my basement, (d) take my cable modem off the wall, (e) jot down the MAC addresses on the back of the modem, (f) come back to my computer and view a help screen on Comcast's site to try to identify the appropriate MAC address, (g) enter the MAC address, (h) submit the form, (i) wait for a confirmation email from Comcast, and (j) follow a link in the email to confirm my opt-out. In reality, I'm still stuck at h, as I have not yet received my confirmation email. Thank you, thank you, Comcast, for making it so simple for me to opt-out of a service I never opted-in for in the first place.

Instead of opting out, customers can also use another DNS provider, though anyone confused by trying to input a modem MAC number is unlikely to find configuring their router's DNS much easier.

When Comcast publicized the service during testing back in July, its announcement attracted 114 unremittingly negative comments. One of the feistier ones asked, "Has the entire staff over there been possessed by demons? ... I am aghast, I can't tell you the last time I witnessed such unmitigated arrogance on the part of a corporate entity. Are you friggin serious? You all have utterly taken leave of your senses."

Making DNS hijacking an IETF standard

That's not the way Comcast sees it, of course. The company has submitted a protocol for DNS redirection to the Internet Engineering Task Force, hoping to create a set of best practices for such services. The engineers who wrote the document clearly don't want to degrade the customer experience, and they propose that redirects not override or block user DNS settings, that they not slow down DNS queries, that they not redirect valid DNS responses, and that the opt-out experience be effective (i.e., not use cookies or IP addresses to identify opted-out machines). But "best practices for opt-out DNS redirection" is a bit like "best practices for jabbing yourself in the ribs with a sharp stick."

Technically savvy users don't want the service, which overrides the normal NXDOMAIN (non-existent domain) response from DNS servers. By changing the expected functionality of the DNS system, problems can arise—as the Comcast engineers understand.

"It is important to note that this technology can directly impact non-Web clients such as instant messaging, VPNs, FTP, email filters, [and] related DNS queries. Thus, special exclusions may need to be made in order to prevent unintentional side effects," they note.

Despite the negative response that the issue always draws from the techheads, DNS redirection is like an addiction that the industry can't shake. Because it's a source of "free revenue" and doesn't draw nearly the same sorts of privacy complaints as do URL-sniffers like NebuAd and Phorm, Internet companies continue to try redirection.

Verisign, one of the major domain registrars, tried a similar service called SiteFinder back in 2004, but DNS overseer ICANN shut down the experiment. In 2006, ISP Earthlink announced a redirect service of its own. In 2007, Verizon thought about getting into the game with "Advanced Web Search" (which also broke applications that relied on NXDOMAIN messages).

This year, Bell Canada has also rolled out a DNS redirection service to Canadians—who also get the same service from Rogers Cable.

None of these services have been opt-in.

As mentioned above, Comcast's implementation currently kicks in only when the top-level domain is valid, but the company says that a future update will also do redirects when the top-level domain is misspelled or missing.