US internet providers hijacking users' search queries

Jimmy Hess mysidia at
Sat Aug 6 13:25:18 CDT 2011

On Sat, Aug 6, 2011 at 12:08 PM, Joe Provo <nanog-post at>wrote:

> On Sat, Aug 06, 2011 at 10:41:10AM -0400, Scott Helms wrote:
> > Correct, I don't believe that any of the providers noted are actually
> [snip]
>   Disappointing that nanog readers can't read
> and get

a clue, instead all the mouth-flapping about MItM and https.     a clue,
> instead all the mouth-flapping about MItM and https. While

Maybe  instead of jumping to the conclusion NANOG readuers should "get a
you should actually do a little more research than reading a glossyware/
vacant FAQ  that doesn't actually explain everything Paxfire is reported to
do, how it works,  and what the criticism is?
I mean... don't  you see a problem relying on _their own publication_  to
say what they are doing, when they
might like to keep their methods quiet  to avoid negative attention?

Changing NXDOMAIN queries to an ISP's  _own_ recursive servers is old hat,
and not the issue.

What the FAQ doesn't tell you is that the Paxfire  appliances can tamper
with DNS
traffic  received from authoritative DNS servers not operated by the ISP.
A paxfire box can alter NXDOMAIN queries, and  queries that respond with
known search engines' IPs.
to send your HTTP traffic to their HTTP proxies instead.

In addition, some ISPs employ an optional, unadvertised Paxfire feature that
redirects the entire stream of affected customers' web search requests to
Bing, Google, and Yahoo via HTTP proxies operated by Paxfire. These proxies
seemingly relay most searches and their corresponding results passively, in
a process that remains invisible to the user. Certain keyword searches,
however, trigger active interference by the HTTP proxies.


More information about the NANOG mailing list