DNSSEC and ISPs faking DNS responses

Alarig Le Lay alarig at swordarmor.fr
Fri Nov 13 10:21:27 UTC 2015


On Fri Nov 13 04:27:36 2015, Jean-Francois Mezei wrote:
> I'll have to research how other countries tried to implement similar
> schemes (I believe the UK has with some of the popular torrent sites.
> 
> I know the Australian attempt to filter porn failed miserably.

We also have some torrent sites blocked in France, for exemple:
alarig at HP-Z210:~$ dig +noall +comments +answer t411.me @193.252.19.3
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38309
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1460
;; ANSWER SECTION:
t411.me.		16418	IN	A	127.0.0.1

alarig at HP-Z210:~$ dig +noall +comments +answer t411.me 
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41652
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; ANSWER SECTION:
t411.me.		70	IN	A	104.18.37.180
t411.me.		70	IN	A	104.18.36.180

But, if you look at the flags, there’s no ad, so no DNSSEC (my resolver
has DNSSEC enabled)

-- 
alarig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20151113/f5c2c110/attachment.sig>


More information about the NANOG mailing list