nanog mailing list archives
Re: Level(3) DNS Spoofing All Domains
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Wed, 20 Nov 2019 00:23:28 +0800
On Wed, Nov 20, 2019 at 12:07 AM Mel Beckman <mel () beckman org> wrote:
Frontier and Verizon have been doing it for years. They have simply thumbed their noses at NXDOMAIN. All in the name of capturing data and eyeballs By Any Means Necessary.
Verizon USED to do this on the former UUnet customer cache resolvers (notably: 198.6.1.1 and it's ilk) ... but: $ dig @198.6.1.1 dad.ads123j.com ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2315 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;dad.ads123j.com. IN A ;; AUTHORITY SECTION: com. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1574180221 1800 900 604800 86400 my understanding was that this was discontinued eventually when the 'product': 1) made no appreciable money for the cost of operation 2) paxfire died in a fiew 3) the ProjectManager responsible inside VZB got canned... I didn't think they brought this back to life... I hope they did not :( Maybe you meant the VZ dsl/fios customer cache devices were/are doing this? oh :( ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43555 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;dad.ads123j.com. IN A ;; ANSWER SECTION: dad.ads123j.com. 0 IN A 92.242.140.21 ;; Query time: 22 msec ;; SERVER: 71.250.0.12#53(71.250.0.12) that's unfortunate for all of VZ's landline/dsl/fios folks :( bummer.
-mel On Nov 19, 2019, at 8:00 AM, Matthew Pounsett <matt () conundrum com> wrote: On Tue, 19 Nov 2019 at 10:57, Patrick Schultz <lists-nanog () schultz top> wrote:Just to weigh in: Here in Germany, the largest internet provider (Deutsche Telekom) did the same thing. It's basically just a "search guide", it redirects you to a search page and assumes you just had a typo in the URL. Telekom stopped doing that in April, after a user reported them to the district attorney for supposed data manipulation, a misdemeanor.If your entire Internet is just the web then it's perhaps not a big deal. But there are a lot of protocols that depend on proper functioning of NXDOMAIN. If you recall, Verisign got in a bunch of trouble for doing that back in the day at the authoritative level.
Current thread:
- Level(3) DNS Spoofing All Domains Marshall, Quincy (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Pierre Emeriaud (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Patrick Schultz (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Matthew Pounsett (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Mel Beckman (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Christopher Morrow (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Matthew Pounsett (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Brandon Martin (Nov 19)
- RE: Level(3) DNS Spoofing All Domains Ryan, Spencer (Nov 19)
- RE: Level(3) DNS Spoofing All Domains Marshall, Quincy (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Mike Bolitho (Nov 19)
- RE: Level(3) DNS Spoofing All Domains Marshall, Quincy (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Mike Bolitho (Nov 19)
- RE: Level(3) DNS Spoofing All Domains Marshall, Quincy (Nov 19)
- Re: Level(3) DNS Spoofing All Domains Billy Crook (Nov 19)