Earthlink Contact - DNS cache poisoning

Christopher Morrow morrowc.lists at
Sun Sep 25 01:07:16 UTC 2011

On Sat, Sep 24, 2011 at 8:51 PM, Jimmy Hess <mysidia at> wrote:
> On Sat, Sep 24, 2011 at 7:43 PM, Will Dean <will at> wrote:
> The  "JOMAX.NET"  response is  indicative that there's a  Paxfire box
> in the mix,
> intercepting the DNS query  (probably installed by the ISP).

I think actually.. earthlink uses barefruit? (or they did when ...
kaminsky was off doing his destruction of the dns liars gangs...)
Maybe the same backend is used though for the advertizer side?
(barefruit provides the appliance, some third-party is the
advertiser/website-host... same for paxfire?)

>> Anyone out there in Earthlink land? I am seeing what looks to be a cache poisoning attack on
>>         65535   IN      NS      WSC2.JOMAX.NET.
>>         65535   IN      NS      WSC1.JOMAX.NET.
> --
> -JH

More information about the NANOG mailing list