US internet providers hijacking users' search queries

Joe Provo nanog-post at
Sun Aug 7 11:10:30 CDT 2011

On Sat, Aug 06, 2011 at 01:25:18PM -0500, Jimmy Hess wrote:
> On Sat, Aug 6, 2011 at 12:08 PM, Joe Provo <nanog-post at>wrote:
> > On Sat, Aug 06, 2011 at 10:41:10AM -0400, Scott Helms wrote:
> > > Correct, I don't believe that any of the providers noted are actually
> > [snip]
> >   Disappointing that nanog readers can't read
> > and get
> a clue, instead all the mouth-flapping about MItM and https.     a clue,
> > instead all the mouth-flapping about MItM and https. While
> Maybe  instead of jumping to the conclusion NANOG readuers should "get a
> clue",
> you should actually do a little more research than reading a glossyware/
> vacant FAQ  that doesn't actually explain everything Paxfire is reported to
> do, how it works,  and what the criticism is?

I'm not jumping to conclusions, merely speaking to evidence. My 
personal experience involves leaving a job at a network that 
insisted on implementing some of this dreck. There is a well-known, 
long-standing "monetization" by breaking NXDOMAIN. DSLreports 
and plenty of other end-user fora have been full of information 
regarding this since Earthlink starded doing it in ... 2006?

> Changing NXDOMAIN queries to an ISP's  _own_ recursive servers is old hat,
> and not the issue.

That sentence makes no sense. Hijacking NXDOMAIN doesn't have anything
to do with pointing to a recursive resolver, but returning a partner/
affiliate web site, search "helper" site or proxy instead of the 

> What the FAQ doesn't tell you is that the Paxfire  appliances can tamper
> with DNS
> traffic  received from authoritative DNS servers not operated by the ISP.
> A paxfire box can alter NXDOMAIN queries, and  queries that respond with
> known search engines' IPs.
> to send your HTTP traffic to their HTTP proxies instead.
> Ty,

This is finally something new, and I retract my assertion that the new
scientist got it wrong. Drilling through to actual evidence and details, 
rather than descriptions which match previous behavior, we have both (a little
indirect with '', etc) and (with actual 
domains) provide detail on the matter. 



         RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG

More information about the NANOG mailing list