DNS and nxdomain hijacking

Jimmy Hess mysidia at gmail.com
Wed Nov 6 00:25:37 UTC 2013

On Tue, Nov 5, 2013 at 2:38 PM, Warren Bailey <
wbailey at satelliteintelligencegroup.com> wrote:

> I've noticed a lot more nxdomain redirects on providers (cox, uverse, tmo,

I believe these ISPs have been servicing a mucked up recursive DNS like
this for quite a while.

Yes, this traffic hijacking and modification of DNS server replies is very
uncool for users.    Yes, they do it anyways, on their own recursive DNS
servers; which they can do of course, on their own DNS servers.

> etc.) networks lately. How is this being done?? Is it a magic box or some
> kind of subscription service?

Both.   There are multiple providers specializing in ISP DNS traffic
monetization, that are well-known, with multiple articles about them;  you
redirect DNS traffic, or  insert a sniffer box between recursive DNS
servers and users,   the hijacking provider monetizes the NXDOMAIN traffic,
  the ISP gets a small share.

I  won't be surprised if they have  50 salesmen  monitoring this list,
 trampling each other to be the first to respond to your 'solicitation' now

Are any of you doing it?

I only know of very large residential providers doing it.

This is believed to not be something Enterprise IT  or business clients
 will tolerate, of their ISP.

For one thing,  NXDOMAIN response tampering breaks  DNS-based  spam
filtering / hostname verification features.

> //warren

More information about the NANOG mailing list