Level(3) DNS Spoofing All Domains

Christopher Morrow morrowc.lists at gmail.com
Tue Nov 19 16:23:28 UTC 2019 

On Wed, Nov 20, 2019 at 12:07 AM Mel Beckman <mel at beckman.org> wrote:
>
> Frontier and Verizon have been doing it for years. They have simply thumbed their noses at NXDOMAIN. All in the name of capturing data and eyeballs By Any Means Necessary.
>

Verizon USED to do this on the former UUnet customer cache resolvers
(notably: 198.6.1.1 and it's ilk) ... but:

$ dig @198.6.1.1 dad.ads123j.com
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2315
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dad.ads123j.com. IN A

;; AUTHORITY SECTION:
com. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1574180221
1800 900 604800 86400


my understanding was that this was discontinued eventually when the 'product':
  1) made no appreciable money for the cost of operation
  2) paxfire died in a fiew
  3) the ProjectManager responsible inside VZB got canned...

I didn't think they brought this back to life... I hope they did not :(
Maybe you meant the VZ dsl/fios customer cache devices were/are doing this?
oh :(

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43555
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;dad.ads123j.com. IN A

;; ANSWER SECTION:
dad.ads123j.com. 0 IN A 92.242.140.21

;; Query time: 22 msec
;; SERVER: 71.250.0.12#53(71.250.0.12)

that's unfortunate for all of VZ's landline/dsl/fios folks :( bummer.

>  -mel
>
> On Nov 19, 2019, at 8:00 AM, Matthew Pounsett <matt at conundrum.com> wrote:
>
> 
>
>
> On Tue, 19 Nov 2019 at 10:57, Patrick Schultz <lists-nanog at schultz.top> wrote:
>>
>> Just to weigh in: Here in Germany, the largest internet provider (Deutsche Telekom) did the same thing.
>> It's basically just a "search guide", it redirects you to a search page and assumes you just had a typo in the URL.
>>
>> Telekom stopped doing that in April, after a user reported them to the district attorney for supposed data manipulation, a misdemeanor.
>
>
> If your entire Internet is just the web then it's perhaps not a big deal.  But there are a lot of protocols that depend on proper functioning of NXDOMAIN.  If you recall, Verisign got in a bunch of trouble for doing that back in the day at the authoritative level.
>>
>>

More information about the NANOG mailing list