Level(3) DNS Spoofing All Domains
Christopher Morrow
morrowc.lists at gmail.com
Tue Nov 19 16:23:28 UTC 2019
On Wed, Nov 20, 2019 at 12:07 AM Mel Beckman <mel at beckman.org> wrote:
>
> Frontier and Verizon have been doing it for years. They have simply thumbed their noses at NXDOMAIN. All in the name of capturing data and eyeballs By Any Means Necessary.
>
Verizon USED to do this on the former UUnet customer cache resolvers
(notably: 198.6.1.1 and it's ilk) ... but:
$ dig @198.6.1.1 dad.ads123j.com
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2315
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dad.ads123j.com. IN A
;; AUTHORITY SECTION:
com. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1574180221
1800 900 604800 86400
my understanding was that this was discontinued eventually when the 'product':
1) made no appreciable money for the cost of operation
2) paxfire died in a fiew
3) the ProjectManager responsible inside VZB got canned...
I didn't think they brought this back to life... I hope they did not :(
Maybe you meant the VZ dsl/fios customer cache devices were/are doing this?
oh :(
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43555
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;dad.ads123j.com. IN A
;; ANSWER SECTION:
dad.ads123j.com. 0 IN A 92.242.140.21
;; Query time: 22 msec
;; SERVER: 71.250.0.12#53(71.250.0.12)
that's unfortunate for all of VZ's landline/dsl/fios folks :( bummer.
> -mel
>
> On Nov 19, 2019, at 8:00 AM, Matthew Pounsett <matt at conundrum.com> wrote:
>
>
>
>
> On Tue, 19 Nov 2019 at 10:57, Patrick Schultz <lists-nanog at schultz.top> wrote:
>>
>> Just to weigh in: Here in Germany, the largest internet provider (Deutsche Telekom) did the same thing.
>> It's basically just a "search guide", it redirects you to a search page and assumes you just had a typo in the URL.
>>
>> Telekom stopped doing that in April, after a user reported them to the district attorney for supposed data manipulation, a misdemeanor.
>
>
> If your entire Internet is just the web then it's perhaps not a big deal. But there are a lot of protocols that depend on proper functioning of NXDOMAIN. If you recall, Verisign got in a bunch of trouble for doing that back in the day at the authoritative level.
>>
>>
More information about the NANOG
mailing list