nanog mailing list archives
Re: DNS and nxdomain hijacking
From: Mark Andrews <marka () isc org>
Date: Wed, 06 Nov 2013 15:01:00 +1100
In message <20131106033003.GB6728 () dyn com>, Andrew Sullivan writes:
On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote:I think every major residential ISP in the US has been doing this for 5+ years now.Comcast doesn't, because it breaks DNSSEC.
Only if you are validating. BIND suppports DNSSEC aware NXDOMAIN redirection. If the NXDOMAIN response is verifiable and you set DO=1 on the query the redirection will not occur. Similar logic is implemented in DNS64 support.
A -- Andrew Sullivan Dyn, Inc. asullivan () dyn com v: +1 603 663 0448
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- DNS and nxdomain hijacking Warren Bailey (Nov 05)
- Re: DNS and nxdomain hijacking Jimmy Hess (Nov 05)
- Re: DNS and nxdomain hijacking Phil Bedard (Nov 05)
- Re: DNS and nxdomain hijacking Eric Tykwinski (Nov 05)
- Re: DNS and nxdomain hijacking Andrew Sullivan (Nov 05)
- Re: DNS and nxdomain hijacking Ray Soucy (Nov 05)
- Re: DNS and nxdomain hijacking Mark Andrews (Nov 05)
- Re: DNS and nxdomain hijacking Livingood, Jason (Nov 06)
- Re: DNS and nxdomain hijacking Phil Bedard (Nov 05)
- Re: DNS and nxdomain hijacking Livingood, Jason (Nov 06)
- Re: DNS and nxdomain hijacking Jimmy Hess (Nov 05)