DNS and nxdomain hijacking
Jimmy Hess
mysidia at gmail.com
Wed Nov 6 00:25:37 UTC 2013
On Tue, Nov 5, 2013 at 2:38 PM, Warren Bailey <
wbailey at satelliteintelligencegroup.com> wrote:
> I've noticed a lot more nxdomain redirects on providers (cox, uverse, tmo,
I believe these ISPs have been servicing a mucked up recursive DNS like
this for quite a while.
Yes, this traffic hijacking and modification of DNS server replies is very
uncool for users. Yes, they do it anyways, on their own recursive DNS
servers; which they can do of course, on their own DNS servers.
> etc.) networks lately. How is this being done?? Is it a magic box or some
> kind of subscription service?
>
Both. There are multiple providers specializing in ISP DNS traffic
monetization, that are well-known, with multiple articles about them; you
redirect DNS traffic, or insert a sniffer box between recursive DNS
servers and users, the hijacking provider monetizes the NXDOMAIN traffic,
the ISP gets a small share.
I won't be surprised if they have 50 salesmen monitoring this list,
trampling each other to be the first to respond to your 'solicitation' now
<G>
Are any of you doing it?
>
I only know of very large residential providers doing it.
This is believed to not be something Enterprise IT or business clients
will tolerate, of their ISP.
For one thing, NXDOMAIN response tampering breaks DNS-based spam
filtering / hostname verification features.
> //warren
>
--
-JH
More information about the NANOG
mailing list