All, I've noticed a lot more nxdomain redirects on providers (cox, uverse, tmo, etc.) networks lately. How is this being done?? Is it a magic box or some kind of subscription service? Are any of you doing it? //warren
On Tue, Nov 5, 2013 at 2:38 PM, Warren Bailey < wbailey@satelliteintelligencegroup.com> wrote:
I've noticed a lot more nxdomain redirects on providers (cox, uverse, tmo,
I believe these ISPs have been servicing a mucked up recursive DNS like this for quite a while. Yes, this traffic hijacking and modification of DNS server replies is very uncool for users. Yes, they do it anyways, on their own recursive DNS servers; which they can do of course, on their own DNS servers.
etc.) networks lately. How is this being done?? Is it a magic box or some kind of subscription service?
Both. There are multiple providers specializing in ISP DNS traffic monetization, that are well-known, with multiple articles about them; you redirect DNS traffic, or insert a sniffer box between recursive DNS servers and users, the hijacking provider monetizes the NXDOMAIN traffic, the ISP gets a small share. I won't be surprised if they have 50 salesmen monitoring this list, trampling each other to be the first to respond to your 'solicitation' now <G> Are any of you doing it?
I only know of very large residential providers doing it. This is believed to not be something Enterprise IT or business clients will tolerate, of their ISP. For one thing, NXDOMAIN response tampering breaks DNS-based spam filtering / hostname verification features.
//warren
-- -JH
On 11/5/13, 7:25 PM, "Jimmy Hess" <mysidia@gmail.com> wrote:
On Tue, Nov 5, 2013 at 2:38 PM, Warren Bailey < wbailey@satelliteintelligencegroup.com> wrote:
I've noticed a lot more nxdomain redirects on providers (cox, uverse, tmo,
I believe these ISPs have been servicing a mucked up recursive DNS like this for quite a while.
I think every major residential ISP in the US has been doing this for 5+ years now. I worked at one provider who made a pretty decent chunk of change off the monthly ad revenue and that was 6 years ago. People typo a lot of URLs. Charter (my current ISP) does let you disable it via the web. Phil
Just as a side note, I don't think MS supports NXDOMAIN redirections yet, which is rather surprising. Given I highly doubt anyone is using this external resolvers, which redirection is usually for. Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 F: 610-429-3222 On Nov 5, 2013, at 7:57 PM, Phil Bedard <bedard.phil@gmail.com> wrote:
On 11/5/13, 7:25 PM, "Jimmy Hess" <mysidia@gmail.com> wrote:
On Tue, Nov 5, 2013 at 2:38 PM, Warren Bailey < wbailey@satelliteintelligencegroup.com> wrote:
I've noticed a lot more nxdomain redirects on providers (cox, uverse, tmo,
I believe these ISPs have been servicing a mucked up recursive DNS like this for quite a while.
I think every major residential ISP in the US has been doing this for 5+ years now. I worked at one provider who made a pretty decent chunk of change off the monthly ad revenue and that was 6 years ago. People typo a lot of URLs.
Charter (my current ISP) does let you disable it via the web.
Phil
http://en.wikipedia.org/wiki/Response_policy_zone RPZ functionality has been widely adopted in the past few years. Also known as "DNS Firewall". On Tue, Nov 5, 2013 at 10:30 PM, Andrew Sullivan <asullivan@dyn.com> wrote:
On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote:
I think every major residential ISP in the US has been doing this for 5+ years now.
Comcast doesn't, because it breaks DNSSEC.
A
-- Andrew Sullivan Dyn, Inc. asullivan@dyn.com v: +1 603 663 0448
-- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
In message <20131106033003.GB6728@dyn.com>, Andrew Sullivan writes:
On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote:
I think every major residential ISP in the US has been doing this for 5+ years now.
Comcast doesn't, because it breaks DNSSEC.
Only if you are validating. BIND suppports DNSSEC aware NXDOMAIN redirection. If the NXDOMAIN response is verifiable and you set DO=1 on the query the redirection will not occur. Similar logic is implemented in DNS64 support.
A
-- Andrew Sullivan Dyn, Inc. asullivan@dyn.com v: +1 603 663 0448
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On 11/5/13, 11:01 PM, "Mark Andrews" <marka@isc.org> wrote:
In message <20131106033003.GB6728@dyn.com>, Andrew Sullivan writes:
On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote:
I think every major residential ISP in the US has been doing this for
5+
years now.
Comcast doesn't, because it breaks DNSSEC.
Only if you are validating.
Exactly. And this was one of the central arguments that helped defeat the DNS redirection portions of SOPA/PIPA/ProtectIP/COICA. Jason
On 11/5/13, 7:57 PM, "Phil Bedard" <bedard.phil@gmail.com> wrote:
I think every major residential ISP in the US has been doing this for 5+ years now. I worked at one provider who made a pretty decent chunk of change off the monthly ad revenue and that was 6 years ago. People typo a lot of URLs.
There¹s less money in it that you¹d think and the monetization rates are declining. Jason
You can find a fairly good overview at http://tools.ietf.org/html/draft-livingood-dns-redirect-03 Comcast does not do this, see http://corporate.comcast.com/comcast-voices/comcast-domain-helper-shuts-down Jason Livingood (Comcast) On 11/5/13, 3:38 PM, "Warren Bailey" <wbailey@satelliteintelligencegroup.com<mailto:wbailey@satelliteintelligencegroup.com>> wrote: All, I've noticed a lot more nxdomain redirects on providers (cox, uverse, tmo, etc.) networks lately. How is this being done?? Is it a magic box or some kind of subscription service? Are any of you doing it? //warren
participants (9)
-
Andrew Sullivan -
Eric Tykwinski -
Jimmy Hess -
Livingood, Jason -
Mark Andrews -
Phil Bedard -
Ray Soucy -
Sam Hayes Merritt, III -
Warren Bailey