DNS and nxdomain hijacking

• Previous message (by thread): DNS and nxdomain hijacking
• Next message (by thread): DNS and nxdomain hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <20131106033003.GB6728 at dyn.com>, Andrew Sullivan writes:
> On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote:
> > 
> > I think every major residential ISP in the US has been doing this for 5+
> > years now.
> 
> Comcast doesn't, because it breaks DNSSEC.

Only if you are validating.

BIND suppports DNSSEC aware NXDOMAIN redirection.  If the NXDOMAIN
response is verifiable and you set DO=1 on the query the redirection
will not occur.

Similar logic is implemented in DNS64 support.

> A
> 
> -- 
> Andrew Sullivan
> Dyn, Inc.
> asullivan at dyn.com
> v: +1 603 663 0448
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

• Previous message (by thread): DNS and nxdomain hijacking
• Next message (by thread): DNS and nxdomain hijacking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]