Re: Hulu thinks all my IP addresses are "business class", how to reach them?

[Valdis Klētnieks]

On Tue, 19 Nov 2019 13:39:56 -0500, Tom Beecher said:

> They are essentially equating 'business' with 'VPN provider'.

Not at all surprised.

Many moons ago, I had a Tor *relay* running on one machine in my home network,
and Hulu decided that my connections from a *different* home machine were
"VPN".  Now, if I were running a Tor *exit* node, I'd be totally OK with them
rejecting my non-Tor connections because they were NATed to the same outside IP
address - but Hulu should never have seen any packets from the relay and if I
*was* using a VPN I'd have a *different* IP address.

Near as I could determine, they were screen scraping the list of Tor relays
and conflating them with exit nodes. Never did figure out if it was stupidity
or malice driving that.


pgpzxIsEJcPBX.pgp
Description: PGP signature

Re: Level(3) DNS Spoofing All Domains

[Billy Crook]

On Tue, Nov 19, 2019 at 11:47 AM Mike Bolitho  wrote:

> This is was my thought as well. People always get up in arms about how
> it's "Public DNS!" but it's really not. It's just well known and used
> because it's easy to remember.
>

I ask the users of 4.2.2.x where it is stated by the owners of 4.2.2.x that
the public may use it, and what expectations they state the public should
have of its availability, integrity, and security.

Not having a contract with Level3, I would assume no such expectations, and
discourage anyone from using 4.2.2.x, Even L3 customers unless they were
specifically given it to use by L3.

The other 'public DNS providers' outwardly encourage their use by the
public.  4.2.2.x does not.

Twitter Peering Contact

[Louis D]

Hello Nanog,

   Does anyone here know a contact for Twitters peering group that is not
from Peeringdb? I have been having issues the last several days first not
receiving any routes and now the session failing. This is over the NYIIX
peering if that helps at all. Any information is appreciated.

Thank you,
Louis D

Re: AT&T released DANOS code to Linux Foundation

[Tim Jackson]

Just curious what ASICs/platforms/NICs are supported? I didn't see any
information about anything on the wiki.

--
Tim

On Tue, Nov 19, 2019, 7:31 PM Robert Bays  wrote:

> For the open source version we replaced our proprietary routing protocol
> stack with FRR.
>
> Since the AT&T acquisition we have also added support for a few merchant
> silicon platforms in a hybrid software/hardware forwarding plane.  ONIE
> images are available from the same link.
>
> Cheers,
> Robert.
>
>
> On Nov 18, 2019, at 2:24 PM, Jared Geiger  wrote:
>
> DANOS is using FRR in the opensource version at least.
>
> On Mon, Nov 18, 2019 at 1:15 PM Mike Hammett  wrote:
>
>> Chances are, if there was a decision to be made, UBNT made the wrong
>> choice.
>>
>> That said, I've heard a lot of good about ZebOS.  *shrugs*
>>
>>
>>
>> -
>> Mike Hammett
>> Intelligent Computing Solutions 
>> 
>> 
>> 
>> 
>> Midwest Internet Exchange 
>> 
>> 
>> 
>> The Brothers WISP 
>> 
>> 
>> --
>> *From: *"Rubens Kuhl" 
>> *To: *"Nanog" 
>> *Sent: *Monday, November 18, 2019 3:10:39 PM
>> *Subject: *Re: AT&T released DANOS code to Linux Foundation
>>
>>
>>
>> On Mon, Nov 18, 2019 at 5:55 PM Brielle  wrote:
>>
>>> On 11/18/2019 1:31 PM, Jared Geiger wrote:
>>> > This past Friday, the code for DANOS was released as open source to
>>> the
>>> > Linux Foundation and published at https://github.com/danos
>>>
>>> This is pretty awesome news.
>>>
>>>  From what I'm reading, it looks like the commercial support options
>>> will be able to use ZebOS as the routing engine instead of quagga?
>>> EdgeOS has been using it for a while, and was a huge step up in terms of
>>> stability and functionality.
>>>
>>>
>> Curiously, at the same time EdgeOS replaced Quagga with ZebOS I started
>> reading more complaints and more people dropping UBNT altogether in the L3
>> world.
>> So I wonder if it was a good decision or not...
>>
>>
>> Rubens
>>
>>
>>
>

Re: AT&T released DANOS code to Linux Foundation

[Robert Bays]

For the open source version we replaced our proprietary routing protocol stack 
with FRR.  

Since the AT&T acquisition we have also added support for a few merchant 
silicon platforms in a hybrid software/hardware forwarding plane.  ONIE images 
are available from the same link.

Cheers,
Robert.


> On Nov 18, 2019, at 2:24 PM, Jared Geiger  wrote:
> 
> DANOS is using FRR in the opensource version at least.
> 
> On Mon, Nov 18, 2019 at 1:15 PM Mike Hammett  > wrote:
> Chances are, if there was a decision to be made, UBNT made the wrong choice.
> 
> That said, I've heard a lot of good about ZebOS.  *shrugs*
> 
> 
> 
> -
> Mike Hammett
> Intelligent Computing Solutions 
>   
>  
>  
> 
> Midwest Internet Exchange 
>   
>  
> 
> The Brothers WISP 
>   
> 
> From: "Rubens Kuhl" mailto:rube...@gmail.com>>
> To: "Nanog" mailto:nanog@nanog.org>>
> Sent: Monday, November 18, 2019 3:10:39 PM
> Subject: Re: AT&T released DANOS code to Linux Foundation
> 
> 
> 
> On Mon, Nov 18, 2019 at 5:55 PM Brielle  > wrote:
> On 11/18/2019 1:31 PM, Jared Geiger wrote:
> > This past Friday, the code for DANOS was released as open source to the 
> > Linux Foundation and published at https://github.com/danos 
> > 
> 
> This is pretty awesome news.
> 
>  From what I'm reading, it looks like the commercial support options 
> will be able to use ZebOS as the routing engine instead of quagga? 
> EdgeOS has been using it for a while, and was a huge step up in terms of 
> stability and functionality.
> 
> 
> Curiously, at the same time EdgeOS replaced Quagga with ZebOS I started 
> reading more complaints and more people dropping UBNT altogether in the L3 
> world. 
> So I wonder if it was a good decision or not... 
> 
> 
> Rubens
>  
> 

Re: 99% of HK internet traffic goes thru uni being fought over?

[Rod Beck]

Dude, frankly Zero Hedge is a joke. Facts and respect are as foreign to them as 
to a certain American President.


From: NANOG  on behalf of b...@theworld.com 

Sent: Tuesday, November 19, 2019 10:43 PM
To: nanog@nanog.org 
Subject: 99% of HK internet traffic goes thru uni being fought over?


Is this plausible?

  
https://www.zerohedge.com/geopolitical/heres-real-reason-why-hong-kong-authorities-are-desperate-regain-control-university

or

  http://tinyurl.com/slwchx8

--
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Iran cuts 95% of Internet traffic

[Eric Kuhnke]

The vast majority of Iranian ISPs' international transit connectivity is
through AS12880 DCI , which is a government run telecom authority. Google
"AS12880 DCI Iran" for more info. DCI is also responsible for layer 2
transport and DWDM services for smaller downstream ISPs, on other
international terrestrial fiber links, which are opaque to us NANOG list
people from the perspective of global v4/v6 routing table/prefix
announcement analysis.

On Mon, Nov 18, 2019 at 7:10 AM Sean Donelan  wrote:

>
> Its very practical for a country to cut 95%+ of its Internet connectivity.
> Its not a complete cut-off, there is some limited connectivity. But for
> most ordinary individuals, their communication channels are cut-off.
>
> https://twitter.com/netblocks/status/1196366347938271232
>

Re: 99% of HK internet traffic goes thru uni being fought over?

[John Sage]

On 11/19/19 1:43 PM, b...@theworld.com wrote:


Is this plausible?

   
https://www.zerohedge.com/geopolitical/heres-real-reason-why-hong-kong-authorities-are-desperate-regain-control-university

or

   http://tinyurl.com/slwchx8



uh...

Zerohedge has been (at worst) a Russian asset for a good five-eight years.

At best, a Russian dupe.

Not credible in the least.

Don't @ me -- if you don't keep up with the orientation and credibility 
of disinformation shill web sites like Zerohedge that's on you, not me.



- John
--

Re: 99% of HK internet traffic goes thru uni being fought over?

[Martijn Schmidt via NANOG]

HKIX is definitely the incumbent IXP in that region, but I'd reckon that most 
high volume interconnection will take place in facilities like Mega-iAdvantage 
or Equinix HK1 via PNI.

Plus there are several alternative IXPs in Hong Kong that also handle 
undisclosed amounts of traffic.

From: NANOG  on behalf of b...@theworld.com 

Sent: 19 November 2019 22:43:34
To: nanog@nanog.org 
Subject: 99% of HK internet traffic goes thru uni being fought over?


Is this plausible?

  
https://www.zerohedge.com/geopolitical/heres-real-reason-why-hong-kong-authorities-are-desperate-regain-control-university

or

  http://tinyurl.com/slwchx8

--
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

99% of HK internet traffic goes thru uni being fought over?

[bzs]

Is this plausible?

  
https://www.zerohedge.com/geopolitical/heres-real-reason-why-hong-kong-authorities-are-desperate-regain-control-university

or

  http://tinyurl.com/slwchx8

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

RE: Level(3) DNS Spoofing All Domains

[Marshall, Quincy]

On Tuesday, November 19, 2019 1:35 PM, Mike Bolitho  
said…
“How many of (my) clients have miss-typed something and sent their data, 
unknowingly, to a 3rd party host? (Who’s fault would that be?)

Yours? They paid you to set up their network properly and you set it up to 
resolve to Level 3. So if they "unknowingly sent their data" to a third party 
then it would be your fault.”

If I was retained by my clients to setup, design, configure, and/or maintain, 
our client’s networks. I would completely agree with you.
(FWIW, my internal network would not connect to these host even if one of my 
user’s fat-fingered the URL.)

However, I’m referring to a completely autonomous 3rd party network (Say they 
type .omb.gov) Can I be expected to anticipate their 
user’s/APP DEV’s typos?

Lawrence Q. Marshall
---
 This email has been scanned for email related threats and delivered safely by 
Mimecast.
 For more information please visit http://www.mimecast.com
---

Re: Hulu thinks all my IP addresses are "business class", how to reach them?

[Tom Beecher]

They are essentially equating 'business' with 'VPN provider'.

On Tue, Nov 19, 2019 at 1:25 PM Matt Hoppes <
mattli...@rivervalleyinternet.net> wrote:

> Why are "businesses" not allowed to watch HULU?
>
> On 11/19/19 1:17 PM, Doug McIntyre wrote:
> > On Mon, Nov 18, 2019 at 10:55:01AM -0600, Blake Hudson wrote:
> >> Doug, out of curiosity, what does Hulu do once they have classified your
> >> IP ranges as "business class"? Charge customers a different rate? Offer
> >> different content? Refuse service?
> >
> > They won't let any of my customers connect, blocking them with a
> > specific error number to reference by their support. When they do, Hulu
> > is either telling them that they are using a VPN (when we don't offer
> > any services like that), and then to whitelist them, they have to have
> > a "residential" IP address and not the "business" IP address we are
> > giving them, and won't go any further. Or they just say they can't
> > connect from the "business" IP addresses.
> >
> > If I knew why they considered my IP addresses "business" IP addresses,
> > I could possibly change something? But this seems to be an arbitrary
> > decision they changed about a week and a half ago for all my netblocks.
> >
> >
>

Re: Hulu thinks all my IP addresses are "business class", how to reach them?

[Blake Hudson]

Doug McIntyre wrote on 11/19/2019 12:17 PM:

On Mon, Nov 18, 2019 at 10:55:01AM -0600, Blake Hudson wrote:

Doug, out of curiosity, what does Hulu do once they have classified your
IP ranges as "business class"? Charge customers a different rate? Offer
different content? Refuse service?

They won't let any of my customers connect, blocking them with a
specific error number to reference by their support. When they do, Hulu
is either telling them that they are using a VPN (when we don't offer
any services like that), and then to whitelist them, they have to have
a "residential" IP address and not the "business" IP address we are
giving them, and won't go any further. Or they just say they can't
connect from the "business" IP addresses.

If I knew why they considered my IP addresses "business" IP addresses,
I could possibly change something? But this seems to be an arbitrary
decision they changed about a week and a half ago for all my netblocks.




Thanks Doug. I'm interested in following your thread because we have 
some IP ranges we intentionally wanted to be classified as static or 
non-residential by other entities so that our customers on these ranges 
could operate their own email servers. This was done through a 
combination of reverse DNS including the word "static" (or similar) and 
the SpamHaus PBL listings (or similar). At the same time, we would not 
want Hulu to stop providing services to these customers due to this 
classification. Ultimately, I guess it's up to Hulu who they want to 
serve as a customer of theirs, but as a network operator providing 
access to to the internet (including access to services like Hulu) I'm 
sure we would be negatively impacted by such a decision on the part of 
Hulu causing to devalue the utility our services.

Re: Level(3) DNS Spoofing All Domains

[Mike Bolitho]

>
> How many of (my) clients have miss-typed something and sent their data,
> unknowingly, to a 3rd party host? (Who’s fault would that be?)


Yours? They paid you to set up their network properly and you set it up to
resolve to Level 3. So if they "unknowingly sent their data" to a third
party then it would be your fault.

- Mike Bolitho











On Tue, Nov 19, 2019 at 11:18 AM Marshall, Quincy 
wrote:

> *On *Tuesday, November 19, 2019 12:49 PM, Mike Bolitho <
> mikeboli...@gmail.com> said…
>
> “This is was my thought as well. People always get up in arms about how
> it's "Public DNS!" but it's really not. It's just well known and used
> because it's easy to remember”
>
>
> I am not against their “securing” their hosts. It costs them money to
> provide the service. I disagree with what they did - Disable the service or
> only allow local or on-net resolution. How many of (my) clients have
> miss-typed something and sent their data, unknowingly, to a 3rd party
> host? (Who’s fault would that be?)
>
>
>
> That said I AM a L(3) customer. These IPs were provided when the circuit
> was provisioned for NS resolution. Admittedly, they has indicated, this
> morning, that we are using the “wrong” Anycast NS and provided a different
> set; which functioned the same as  the “Public” ones.
>
> *Lawrence Q. Marshall*
>
>
>
> --
> This email has been scanned for email related threats and delivered safely
> by Mimecast.
> For more information please visit http://www.mimecast.com
> --
>

Re: Hulu thinks all my IP addresses are "business class", how to reach them?

[Mike Hammett]

Hulu is the worst-run streaming service, mostly because they don't cooperate 
with ISPs in the least. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Doug McIntyre"  
To: nanog@nanog.org 
Sent: Monday, November 18, 2019 10:41:06 AM 
Subject: Hulu thinks all my IP addresses are "business class", how to reach 
them? 

I've been offering residential and business ISP services for a long time. 

Hulu recently blocked my customers from accessing their service, because my 
ARIN IP address blocks are "business class" instead of residential. 

I've tried to find a contact for them as I am not a customer, the 
supportrequ...@hulu.com address mentioned in NANOG previously is just 
an autoresponder that says open a ticket online (once you are logged into your 
account). 

Does anybody have a contact for them that I can discuss what they are 
looking at to determine if my IP addresses are "residential" 
vs. "business" class? 

Thanks. 

Re: Hulu thinks all my IP addresses are "business class", how to reach them?

[Matt Hoppes]

Why are "businesses" not allowed to watch HULU?

On 11/19/19 1:17 PM, Doug McIntyre wrote:

On Mon, Nov 18, 2019 at 10:55:01AM -0600, Blake Hudson wrote:

Doug, out of curiosity, what does Hulu do once they have classified your
IP ranges as "business class"? Charge customers a different rate? Offer
different content? Refuse service?


They won't let any of my customers connect, blocking them with a
specific error number to reference by their support. When they do, Hulu
is either telling them that they are using a VPN (when we don't offer
any services like that), and then to whitelist them, they have to have
a "residential" IP address and not the "business" IP address we are
giving them, and won't go any further. Or they just say they can't
connect from the "business" IP addresses.

If I knew why they considered my IP addresses "business" IP addresses,
I could possibly change something? But this seems to be an arbitrary
decision they changed about a week and a half ago for all my netblocks.

RE: Level(3) DNS Spoofing All Domains

[Marshall, Quincy]

On Tuesday, November 19, 2019 12:49 PM, Mike Bolitho  
said…
“This is was my thought as well. People always get up in arms about how it's 
"Public DNS!" but it's really not. It's just well known and used because it's 
easy to remember”

I am not against their “securing” their hosts. It costs them money to provide 
the service. I disagree with what they did - Disable the service or only allow 
local or on-net resolution. How many of (my) clients have miss-typed something 
and sent their data, unknowingly, to a 3rd party host? (Who’s fault would that 
be?)

That said I AM a L(3) customer. These IPs were provided when the circuit was 
provisioned for NS resolution. Admittedly, they has indicated, this morning, 
that we are using the “wrong” Anycast NS and provided a different set; which 
functioned the same as  the “Public” ones.
Lawrence Q. Marshall
---
 This email has been scanned for email related threats and delivered safely by 
Mimecast.
 For more information please visit http://www.mimecast.com
---

Re: Hulu thinks all my IP addresses are "business class", how to reach them?

[Doug McIntyre]

On Mon, Nov 18, 2019 at 10:55:01AM -0600, Blake Hudson wrote:
> Doug, out of curiosity, what does Hulu do once they have classified your 
> IP ranges as "business class"? Charge customers a different rate? Offer 
> different content? Refuse service?

They won't let any of my customers connect, blocking them with a
specific error number to reference by their support. When they do, Hulu
is either telling them that they are using a VPN (when we don't offer
any services like that), and then to whitelist them, they have to have
a "residential" IP address and not the "business" IP address we are
giving them, and won't go any further. Or they just say they can't
connect from the "business" IP addresses. 

If I knew why they considered my IP addresses "business" IP addresses,
I could possibly change something? But this seems to be an arbitrary
decision they changed about a week and a half ago for all my netblocks.

Re: Level(3) DNS Spoofing All Domains

[Mike Bolitho]

This is was my thought as well. People always get up in arms about how it's
"Public DNS!" but it's really not. It's just well known and used because
it's easy to remember.

- Mike Bolitho


On Tue, Nov 19, 2019 at 9:28 AM Ryan, Spencer 
wrote:

> Are you a CL/L3 customer? Those resolvers have only ever been for
> “customers” even though they would resolve for anyone. They started
> injecting NXDOMAIN redirects a while ago for non-customers.
>
>
>
>
>
> *From:* NANOG  *On Behalf Of *Marshall, Quincy
> *Sent:* Monday, November 18, 2019 12:45 PM
> *Subject:* Level(3) DNS Spoofing All Domains
>
>
>
> This message originated outside of NETSCOUT. Do not click links or open
> attachments unless you recognize the sender and know the content is safe.
>
> This is mostly informational and may have already hit this group. My
> google-foo failed me if so.
>
>
>
> I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are
> spoofing all domains. If the hostname begins with a “w” and does not exist
> in the authoritative zone these hosts will return two Akamai hosts.
>
>
>
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
>
>
> My apologies if this is old news.
>
>
>
> *Lawrence Q. Marshall*
>
>
>
>
> --
>
> This email has been scanned for email related threats and delivered safely
> by Mimecast.
> For more information please visit http://www.mimecast.com
> 
> --
>

AT&T Security Contact

[Robert Webb]

Apologies for the off topic email but I am trying to get in touch with
someone at AT&T Security who has a clue.

Received three text messages on my Verizon Wireless phone from my wife's
number which were from AT&T with links to someone's tech visit ticket which
gave me access to their services and tech appointment.

Thanks..

Dell OS10 switches

[Dmitry Sherman]

Hello,
Any recommendations about Dell S4200 switches with their OS10 Cisco like OS?
Pricing is very attractive. They claim to support 1.5M bgp routes.
Anyone has any experience with Dell’s switches?
Can I rely on them in production network?

Thanks

Best regards,
Dmitry Sherman

[X]

Re: Level(3) DNS Spoofing All Domains

[brent timothy saner]

On 11/18/19 12:45, Marshall, Quincy wrote:
> This is mostly informational and may have already hit this group. My
> google-foo failed me if so.
> 
>  
> 
> I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are
> spoofing all domains. If the hostname begins with a “w” and does not
> exist in the authoritative zone these hosts will return two Akamai hosts.
> 
>  
> 
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
> 
> 23.202.231.167
> 
> 23.217.138.108
> 
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
> 
> 23.202.231.167
> 
> 23.217.138.108
> 
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
> 
> 23.202.231.167
> 
> 23.217.138.108
> 
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
> 
> 23.202.231.167
> 
> 23.217.138.108
> 
>  
> 
> My apologies if this is old news.
> 
>  
> 
> *Lawrence Q. Marshall*
> 

Yep, old news. :) It's their "SearchGuide(TM)" nonsense.

You can opt out, but as of about 1.5? months ago it's almost impossible
to because the applet was serving a 500, and now it just refuses to work
*despite* serving a 200. And it's flaky as all else - when the applet
goes down, the resolvers take the ...aherm, "liberty" of automatically
enabling SearchGuide during the outage.

You can either attempt it via going to e.g.:
  http://searchguide.level3.com/search/?q=foo
and clicking the "Settings" link in the upper right. If you get "There
was a problem retrieving your settings from the server. Please try your
request again later.", then congrats! You won the prize of not being
able to change the redirect.

Alternatively, you can TRY running something like this:
https://pastebin.com/zktqqCxU but AGAIN, it depends on that endpoint
actually being *accessible*.

Which it increasingly is not.

I've moved on from level3 for resolvers; their reliability's been
declining but this nonsense just tanked them for me.
Lately I've been using Verisign's resolvers (64.6.64.6 and 64.6.65.6)
for upstream on my cachers, and I've been pretty pleased with it. They
seem to express a focus on privacy, which is nice, but most importantly-
records seem to get through unmolested, NXDOMAINs and all. Just as it
should be. ;)



signature.asc
Description: OpenPGP digital signature

Re: Level(3) DNS Spoofing All Domains

[Cary Wiedemann]

Wow, news to me, and it's worse than you thought.  They're spoofing
responses for ALL non-existent domains, not just those starting with a "w":

langsam:~# whois unregistereddomaintest.com | head -1
No match for "UNREGISTEREDDOMAINTEST.COM".

langsam:~# dig +short a unregistereddomaintest.com @4.2.2.2
23.202.231.167
23.217.138.108

langsam:~# dig +short a unregistereddomaintest.mil @4.2.2.2
23.202.231.167
23.217.138.108

I can't get an NXDOMAIN result from 4.2.2.2 at all.

Good to know.  Time to reconfigure 10,000 firewalls.

Thank you Lawrence.

- Cary Wiedemann

On Tue, Nov 19, 2019 at 10:35 AM Marshall, Quincy 
wrote:

> This is mostly informational and may have already hit this group. My
> google-foo failed me if so.
>
>
>
> I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are
> spoofing all domains. If the hostname begins with a “w” and does not exist
> in the authoritative zone these hosts will return two Akamai hosts.
>
>
>
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
>
> 23.202.231.167
>
> 23.217.138.108
>
>
>
> My apologies if this is old news.
>
>
>
> *Lawrence Q. Marshall*
>
>
>
>
> --
> This email has been scanned for email related threats and delivered safely
> by Mimecast.
> For more information please visit http://www.mimecast.com
> --
>

RE: Level(3) DNS Spoofing All Domains

[Ryan, Spencer]

Are you a CL/L3 customer? Those resolvers have only ever been for “customers” 
even though they would resolve for anyone. They started injecting NXDOMAIN 
redirects a while ago for non-customers.


From: NANOG  On Behalf Of Marshall, Quincy
Sent: Monday, November 18, 2019 12:45 PM
Subject: Level(3) DNS Spoofing All Domains

This message originated outside of NETSCOUT. Do not click links or open 
attachments unless you recognize the sender and know the content is safe.
This is mostly informational and may have already hit this group. My google-foo 
failed me if so.

I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are 
spoofing all domains. If the hostname begins with a “w” and does not exist in 
the authoritative zone these hosts will return two Akamai hosts.

[root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
23.202.231.167
23.217.138.108

My apologies if this is old news.

Lawrence Q. Marshall



This email has been scanned for email related threats and delivered safely by 
Mimecast.
For more information please visit 
http://www.mimecast.com

Re: Level(3) DNS Spoofing All Domains

[Christopher Morrow]

On Wed, Nov 20, 2019 at 12:07 AM Mel Beckman  wrote:
>
> Frontier and Verizon have been doing it for years. They have simply thumbed 
> their noses at NXDOMAIN. All in the name of capturing data and eyeballs By 
> Any Means Necessary.
>

Verizon USED to do this on the former UUnet customer cache resolvers
(notably: 198.6.1.1 and it's ilk) ... but:

$ dig @198.6.1.1 dad.ads123j.com
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 2315
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dad.ads123j.com. IN A

;; AUTHORITY SECTION:
com. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1574180221
1800 900 604800 86400


my understanding was that this was discontinued eventually when the 'product':
  1) made no appreciable money for the cost of operation
  2) paxfire died in a fiew
  3) the ProjectManager responsible inside VZB got canned...

I didn't think they brought this back to life... I hope they did not :(
Maybe you meant the VZ dsl/fios customer cache devices were/are doing this?
oh :(

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43555
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;dad.ads123j.com. IN A

;; ANSWER SECTION:
dad.ads123j.com. 0 IN A 92.242.140.21

;; Query time: 22 msec
;; SERVER: 71.250.0.12#53(71.250.0.12)

that's unfortunate for all of VZ's landline/dsl/fios folks :( bummer.

>  -mel
>
> On Nov 19, 2019, at 8:00 AM, Matthew Pounsett  wrote:
>
> 
>
>
> On Tue, 19 Nov 2019 at 10:57, Patrick Schultz  wrote:
>>
>> Just to weigh in: Here in Germany, the largest internet provider (Deutsche 
>> Telekom) did the same thing.
>> It's basically just a "search guide", it redirects you to a search page and 
>> assumes you just had a typo in the URL.
>>
>> Telekom stopped doing that in April, after a user reported them to the 
>> district attorney for supposed data manipulation, a misdemeanor.
>
>
> If your entire Internet is just the web then it's perhaps not a big deal.  
> But there are a lot of protocols that depend on proper functioning of 
> NXDOMAIN.  If you recall, Verisign got in a bunch of trouble for doing that 
> back in the day at the authoritative level.
>>
>>

Re: Level(3) DNS Spoofing All Domains

[Brandon Martin]

On 11/18/19 12:45 PM, Marshall, Quincy wrote:
I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are 
spoofing all domains. If the hostname begins with a “w” and does not 
exist in the authoritative zone these hosts will return two Akamai hosts.


As far as I know, this has been going on for quite some time at least 
for folks not on Level3.  I know I've seen it as far back as 5-7 years 
ago from various vantage points.


I guess it's also possible somebody was intercepting those well known 
anycast addresses between me and Level3, but the "search guide" it 
redirected to didn't implicate any obvious suspects.


It fails DNSSEC checking, of course, so if you have DNSSEC validation 
turned on at your recursive resolver, you should get something else 
(probably SERVFAIL).

--
Brandon Martin

Re: Level(3) DNS Spoofing All Domains

[Mel Beckman]

Frontier and Verizon have been doing it for years. They have simply thumbed 
their noses at NXDOMAIN. All in the name of capturing data and eyeballs By Any 
Means Necessary.

 -mel

On Nov 19, 2019, at 8:00 AM, Matthew Pounsett  wrote:




On Tue, 19 Nov 2019 at 10:57, Patrick Schultz  wrote:
Just to weigh in: Here in Germany, the largest internet provider (Deutsche 
Telekom) did the same thing.
It's basically just a "search guide", it redirects you to a search page and 
assumes you just had a typo in the URL.

Telekom stopped doing that in April, after a user reported them to the district 
attorney for supposed data manipulation, a misdemeanor.

If your entire Internet is just the web then it's perhaps not a big deal.  But 
there are a lot of protocols that depend on proper functioning of NXDOMAIN.  If 
you recall, Verisign got in a bunch of trouble for doing that back in the day 
at the authoritative level.

RE: Level(3) DNS Spoofing All Domains

[Marshall, Quincy]

On Tuesday, November 19, 2019 10:42 AM Ryan, Spencer…
“Are you a CL/L3 customer?”

I am a legacy L(3) customer.

The availability of their AnyCast NS is public from my nets.  I was on a my 
home TWC circuit when I ran the provided lookups.


I have used the L(3) NS, in a pinch, because of their reliability, privacy, and 
ease. I would assume that others did similar.  It would seem that the 
reliability and privacy are not so, anymore.

FWIW – They have not provided a coherent reply to my ticket. Should I get a 
relevant update, I’ll forward to the list.
Lawrence Q. Marshall
---
 This email has been scanned for email related threats and delivered safely by 
Mimecast.
 For more information please visit http://www.mimecast.com
---

Re: Level(3) DNS Spoofing All Domains

[Matthew Pounsett]

On Tue, 19 Nov 2019 at 10:57, Patrick Schultz 
wrote:

> Just to weigh in: Here in Germany, the largest internet provider (Deutsche
> Telekom) did the same thing.
> It's basically just a "search guide", it redirects you to a search page
> and assumes you just had a typo in the URL.
>
> Telekom stopped doing that in April, after a user reported them to the
> district attorney for supposed data manipulation, a misdemeanor.
>

If your entire Internet is just the web then it's perhaps not a big deal.
But there are a lot of protocols that depend on proper functioning of
NXDOMAIN.  If you recall, Verisign got in a bunch of trouble for doing that
back in the day at the authoritative level.

>
>

Re: Level(3) DNS Spoofing All Domains

[Patrick Schultz]

Just to weigh in: Here in Germany, the largest internet provider (Deutsche 
Telekom) did the same thing.
It's basically just a "search guide", it redirects you to a search page and 
assumes you just had a typo in the URL.

Telekom stopped doing that in April, after a user reported them to the district 
attorney for supposed data manipulation, a misdemeanor.

Am 18.11.2019 um 18:45 schrieb Marshall, Quincy:
> This is mostly informational and may have already hit this group. My 
> google-foo failed me if so.
> 
>  
> 
> I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are 
> spoofing all domains. If the hostname begins with a “w” and does not exist in 
> the authoritative zone these hosts will return two Akamai hosts.
> 
>  
> 
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
> 
> 23.202.231.167
> 
> 23.217.138.108
> 
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
> 
> 23.202.231.167
> 
> 23.217.138.108
> 
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
> 
> 23.202.231.167
> 
> 23.217.138.108
> 
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
> 
> 23.202.231.167
> 
> 23.217.138.108
> 
>  
> 
> My apologies if this is old news.
> 
>  
> 
> *Lawrence Q. Marshall*
> 
>  
> 
> 
> 
> ---
> This email has been scanned for email related threats and delivered safely by 
> Mimecast.
> For more information please visit http://www.mimecast.com 
> 
> ---

Re: Level(3) DNS Spoofing All Domains

[Pierre Emeriaud]

Le mar. 19 nov. 2019 à 16:36, Marshall, Quincy
 a écrit :
>
> I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are 
> spoofing all domains. If the hostname begins with a “w” and does not exist in 
> the authoritative zone these hosts will return two Akamai hosts.
>
> [root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
> 23.202.231.167
> 23.217.138.108

It depends of the server you're hitting:

>From AS3215 (.fr)
$ dig +short w3.dummydomaindoesntexist.org @4.2.2.2
23.217.138.108
23.202.231.167

$ dig +short caseraitvraimentconquilexiste.org @4.2.2.2
23.217.138.108
23.202.231.167

$ dig +short hostname.bind txt ch @4.2.2.2
"pubntp1.lon1.Level3.net"


>From AS16276 (.ca):
$ dig w3.dummydomaindoesntexist.org @4.2.2.2
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34998
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

$ dig +short hostname.bind txt ch @4.2.2.2
"cns4.nyc1.Level3.net"

Level(3) DNS Spoofing All Domains

[Marshall, Quincy]

This is mostly informational and may have already hit this group. My google-foo 
failed me if so.

I discovered that the CenturyLink/Level(3) public DNS (4.2.2.2, etc) are 
spoofing all domains. If the hostname begins with a "w" and does not exist in 
the authoritative zone these hosts will return two Akamai hosts.

[root@localhost ~]# dig +short w3.dummydomaindoesntexist.gov @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.net @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.com @4.2.2.2
23.202.231.167
23.217.138.108
[root@localhost ~]# dig +short w3.dummydomaindoesntexist.org @4.2.2.2
23.202.231.167
23.217.138.108

My apologies if this is old news.

Lawrence Q. Marshall
---
 This email has been scanned for email related threats and delivered safely by 
Mimecast.
 For more information please visit http://www.mimecast.com
---

Re: south bay ops channel

[George Herbert]

Not that I specifically recall since late 90s.  All the local problems
became nationwide.

If you want to start one, sign me up.

On Mon, Nov 18, 2019 at 6:53 PM Randy Bush  wrote:

> > dear lazynet.  is there a list, irc, slack, ... for ops in the
> > southern bay area?  need to find/discuss colo, hands, brains, ...
>
> fwiw, in seattle, the SIX chatter list would be a good example.
>
> randy
>


-- 
-george william herbert
george.herb...@gmail.com