On Sat, Aug 06, 2011 at 01:25:18PM -0500, Jimmy Hess wrote:
On Sat, Aug 6, 2011 at 12:08 PM, Joe Provo <nanog-post@rsuc.gweep.net>wrote:
On Sat, Aug 06, 2011 at 10:41:10AM -0400, Scott Helms wrote:
Correct, I don't believe that any of the providers noted are actually [snip] Disappointing that nanog readers can't read http://www.paxfire.com/faqs.php and get
a clue, instead all the mouth-flapping about MItM and https. a clue,
instead all the mouth-flapping about MItM and https. While
Maybe instead of jumping to the conclusion NANOG readuers should "get a clue", you should actually do a little more research than reading a glossyware/ vacant FAQ that doesn't actually explain everything Paxfire is reported to do, how it works, and what the criticism is?
I'm not jumping to conclusions, merely speaking to evidence. My personal experience involves leaving a job at a network that insisted on implementing some of this dreck. There is a well-known, long-standing "monetization" by breaking NXDOMAIN. DSLreports and plenty of other end-user fora have been full of information regarding this since Earthlink starded doing it in ... 2006?
Changing NXDOMAIN queries to an ISP's _own_ recursive servers is old hat, and not the issue.
That sentence makes no sense. Hijacking NXDOMAIN doesn't have anything to do with pointing to a recursive resolver, but returning a partner/ affiliate web site, search "helper" site or proxy instead of the NXDOMAIN.
What the FAQ doesn't tell you is that the Paxfire appliances can tamper with DNS traffic received from authoritative DNS servers not operated by the ISP. A paxfire box can alter NXDOMAIN queries, and queries that respond with known search engines' IPs. to send your HTTP traffic to their HTTP proxies instead.
This is finally something new, and I retract my assertion that the new scientist got it wrong. Drilling through to actual evidence and details, rather than descriptions which match previous behavior, we have both http://www.usenix.org/event/leet11/tech/full_papers/Zhang.pdf (a little indirect with 'example.com', etc) and http://www.payne.org/index.php/Frontier_Search_Hijacking (with actual domains) provide detail on the matter. Cheers! Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG