nanog mailing list archives

Re: DNS and nxdomain hijacking

From: Mark Andrews <marka () isc org>
Date: Wed, 06 Nov 2013 15:01:00 +1100


In message <20131106033003.GB6728 () dyn com>, Andrew Sullivan writes:

On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote:


I think every major residential ISP in the US has been doing this for 5+
years now.


Comcast doesn't, because it breaks DNSSEC.


Only if you are validating.

BIND suppports DNSSEC aware NXDOMAIN redirection.  If the NXDOMAIN
response is verifiable and you set DO=1 on the query the redirection
will not occur.

Similar logic is implemented in DNS64 support.

A

-- 
Andrew Sullivan
Dyn, Inc.
asullivan () dyn com
v: +1 603 663 0448

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

DNS and nxdomain hijacking Warren Bailey (Nov 05)
- Re: DNS and nxdomain hijacking Jimmy Hess (Nov 05)
  - Re: DNS and nxdomain hijacking Phil Bedard (Nov 05)
    - Re: DNS and nxdomain hijacking Eric Tykwinski (Nov 05)
    - Re: DNS and nxdomain hijacking Andrew Sullivan (Nov 05)
    - Re: DNS and nxdomain hijacking Ray Soucy (Nov 05)
    - Re: DNS and nxdomain hijacking Mark Andrews (Nov 05)
    - Re: DNS and nxdomain hijacking Livingood, Jason (Nov 06)
    - Re: DNS and nxdomain hijacking Livingood, Jason (Nov 06)
- Re: DNS and nxdomain hijacking Livingood, Jason (Nov 06)
- Re: DNS and nxdomain hijacking Sam Hayes Merritt, III (Nov 08)