Re: DNS and nxdomain hijacking
Are any of you doing it? At one time we did. The money just wasn't worth the hassle. I kept a close eye on our reports and the dollar amounts just kept falling. And IIRC, Google would not team with you to do it, you had to redirect to Yahoo or Bing. sam
Re: DNS and nxdomain hijacking
You can find a fairly good overview at http://tools.ietf.org/html/draft-livingood-dns-redirect-03 Comcast does not do this, see http://corporate.comcast.com/comcast-voices/comcast-domain-helper-shuts-down Jason Livingood (Comcast) On 11/5/13, 3:38 PM, Warren Bailey wbai...@satelliteintelligencegroup.commailto:wbai...@satelliteintelligencegroup.com wrote: All, I've noticed a lot more nxdomain redirects on providers (cox, uverse, tmo, etc.) networks lately. How is this being done?? Is it a magic box or some kind of subscription service? Are any of you doing it? //warren
Re: DNS and nxdomain hijacking
On 11/5/13, 7:57 PM, Phil Bedard bedard.p...@gmail.com wrote: I think every major residential ISP in the US has been doing this for 5+ years now. I worked at one provider who made a pretty decent chunk of change off the monthly ad revenue and that was 6 years ago. People typo a lot of URLs. There¹s less money in it that you¹d think and the monetization rates are declining. Jason
Re: DNS and nxdomain hijacking
On 11/5/13, 11:01 PM, Mark Andrews ma...@isc.org wrote: In message 20131106033003.gb6...@dyn.com, Andrew Sullivan writes: On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote: I think every major residential ISP in the US has been doing this for 5+ years now. Comcast doesn't, because it breaks DNSSEC. Only if you are validating. Exactly. And this was one of the central arguments that helped defeat the DNS redirection portions of SOPA/PIPA/ProtectIP/COICA. Jason
Re: DNS and nxdomain hijacking
On Tue, Nov 5, 2013 at 2:38 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I've noticed a lot more nxdomain redirects on providers (cox, uverse, tmo, I believe these ISPs have been servicing a mucked up recursive DNS like this for quite a while. Yes, this traffic hijacking and modification of DNS server replies is very uncool for users.Yes, they do it anyways, on their own recursive DNS servers; which they can do of course, on their own DNS servers. etc.) networks lately. How is this being done?? Is it a magic box or some kind of subscription service? Both. There are multiple providers specializing in ISP DNS traffic monetization, that are well-known, with multiple articles about them; you redirect DNS traffic, or insert a sniffer box between recursive DNS servers and users, the hijacking provider monetizes the NXDOMAIN traffic, the ISP gets a small share. I won't be surprised if they have 50 salesmen monitoring this list, trampling each other to be the first to respond to your 'solicitation' now G Are any of you doing it? I only know of very large residential providers doing it. This is believed to not be something Enterprise IT or business clients will tolerate, of their ISP. For one thing, NXDOMAIN response tampering breaks DNS-based spam filtering / hostname verification features. //warren -- -JH
Re: DNS and nxdomain hijacking
On 11/5/13, 7:25 PM, Jimmy Hess mysi...@gmail.com wrote: On Tue, Nov 5, 2013 at 2:38 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I've noticed a lot more nxdomain redirects on providers (cox, uverse, tmo, I believe these ISPs have been servicing a mucked up recursive DNS like this for quite a while. I think every major residential ISP in the US has been doing this for 5+ years now. I worked at one provider who made a pretty decent chunk of change off the monthly ad revenue and that was 6 years ago. People typo a lot of URLs. Charter (my current ISP) does let you disable it via the web. Phil
Re: DNS and nxdomain hijacking
Just as a side note, I don't think MS supports NXDOMAIN redirections yet, which is rather surprising. Given I highly doubt anyone is using this external resolvers, which redirection is usually for. Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 F: 610-429-3222 On Nov 5, 2013, at 7:57 PM, Phil Bedard bedard.p...@gmail.com wrote: On 11/5/13, 7:25 PM, Jimmy Hess mysi...@gmail.com wrote: On Tue, Nov 5, 2013 at 2:38 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I've noticed a lot more nxdomain redirects on providers (cox, uverse, tmo, I believe these ISPs have been servicing a mucked up recursive DNS like this for quite a while. I think every major residential ISP in the US has been doing this for 5+ years now. I worked at one provider who made a pretty decent chunk of change off the monthly ad revenue and that was 6 years ago. People typo a lot of URLs. Charter (my current ISP) does let you disable it via the web. Phil
Re: DNS and nxdomain hijacking
On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote: I think every major residential ISP in the US has been doing this for 5+ years now. Comcast doesn't, because it breaks DNSSEC. A -- Andrew Sullivan Dyn, Inc. asulli...@dyn.com v: +1 603 663 0448
Re: DNS and nxdomain hijacking
http://en.wikipedia.org/wiki/Response_policy_zone RPZ functionality has been widely adopted in the past few years. Also known as DNS Firewall. On Tue, Nov 5, 2013 at 10:30 PM, Andrew Sullivan asulli...@dyn.com wrote: On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote: I think every major residential ISP in the US has been doing this for 5+ years now. Comcast doesn't, because it breaks DNSSEC. A -- Andrew Sullivan Dyn, Inc. asulli...@dyn.com v: +1 603 663 0448 -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Re: DNS and nxdomain hijacking
In message 20131106033003.gb6...@dyn.com, Andrew Sullivan writes: On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote: I think every major residential ISP in the US has been doing this for 5+ years now. Comcast doesn't, because it breaks DNSSEC. Only if you are validating. BIND suppports DNSSEC aware NXDOMAIN redirection. If the NXDOMAIN response is verifiable and you set DO=1 on the query the redirection will not occur. Similar logic is implemented in DNS64 support. A -- Andrew Sullivan Dyn, Inc. asulli...@dyn.com v: +1 603 663 0448 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
