nanog mailing list archives
Re: Hey, SiteFinder is back, again...
From: David Conrad <drc () virtualized org>
Date: Mon, 5 Nov 2007 12:50:30 -0800
On Nov 5, 2007, at 11:54 AM, Steven M. Bellovin wrote:
On Nov 5, 2007, at 8:23 AM, David Lesher wrote:What affect will Allegedly Secure DNS have on such provider hijackings, both of DNS and crammed-in content?If what Verizon is doing is rewriting NXDOMAIN at their caching servers, DNSSEC will _not_ help. Caching servers do the validation and the insertion of the search engine IP addresses in the response would occur after the validation.Depends on whether or not the endpoints delegate DNSSEC validation to Verizon. They don't have to.
Right. People can run their own caching servers and can set up those servers to do DNSSEC validation after setting up (and maintaining) trust anchors for any DNSSEC signed zone they might want to validate. Of course, if they do this, the NXDOMAIN redirection won't be an issue since the customer will be bypassing the caching server that is doing the redirection...
As an aside, I note that Verizon is squatting on address space allocated to APNIC. From the self-help web page offered to opt out of this "service" (specific to the particular hardware customers might be using, e.g., http://netservices.verizon.net/portal/link/help/ item?case=c32535), they state:
"5. Change the last octet of the Primary & Secondary DNS Server addresses to 14.
Example: You look up the DNS information and the server numbers are: 123.123.123.12 Primary DNS 123.123.123.12 Secondary DNSYou would change the addresses to the following when statically assigning them to the computer or modem/router.
123.123.123.14 Primary DNS 123.123.123.14 Secondary DNSNote that the .14 is the special set of servers that will opt you out of the DSN Assistance program."
123.0.0.0/8 is delegated to APNIC who have allocated it to CNC Group in China:
% whois -h whois.apnic.net 123.123.123.0 % [whois.apnic.net node-1] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 123.112.0.0 - 123.127.255.255 netname: CNCGROUP-BJ descr: CNCGROUP Beijing province network descr: China Network Communications Group Corporation descr: No.156,Fu-Xing-Men-Nei Street, descr: Beijing 100031 country: CN ... Regards, -drc
Current thread:
- Hey, SiteFinder is back, again... David Lesher (Nov 03)
- Re: Hey, SiteFinder is back, again... Allan Liska (Nov 03)
- Re: Hey, SiteFinder is back, again... Christopher Morrow (Nov 03)
- Re: Hey, SiteFinder is back, again... Patrick W. Gilmore (Nov 04)
- Re: Hey, SiteFinder is back, again... Jeff Kell (Nov 04)
- Re: Hey, SiteFinder is back, again... Andrew Sullivan (Nov 05)
- Re: Hey, SiteFinder is back, again... Phil Regnauld (Nov 05)
- Re: Hey, SiteFinder is back, again... David Lesher (Nov 05)
- Re: Hey, SiteFinder is back, again... David Conrad (Nov 05)
- Re: Hey, SiteFinder is back, again... Steven M. Bellovin (Nov 05)
- Re: Hey, SiteFinder is back, again... David Conrad (Nov 05)
- Re: Hey, SiteFinder is back, again... Tim Wilde (Nov 05)
- Re: Hey, SiteFinder is back, again... Bora Akyol (Nov 05)
- Re: Hey, SiteFinder is back, again... David Conrad (Nov 05)
- Re: Hey, SiteFinder is back, again... Eliot Lear (Nov 05)
- Re: Hey, SiteFinder is back, again... Christopher Morrow (Nov 05)
- Re: Hey, SiteFinder is back, again... Steven M. Bellovin (Nov 06)
- Re: Hey, SiteFinder is back, again... Barry Shein (Nov 06)
- Re: Hey, SiteFinder is back, again... Christopher Morrow (Nov 03)
- Re: Hey, SiteFinder is back, again... Allan Liska (Nov 03)
- Re: Hey, SiteFinder is back, again... Mark Andrews (Nov 05)
- Re: Hey, SiteFinder is back, again... David Conrad (Nov 05)
- Re: Hey, SiteFinder is back, again... Mark Andrews (Nov 05)