[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DNS and nxdomain hijacking

Subject: DNS and nxdomain hijacking
From: marka at isc.org (Mark Andrews)
Date: Wed, 06 Nov 2013 15:01:00 +1100
In-reply-to: Your message of "Tue, 05 Nov 2013 22:30:05 -0500." <[email protected]>
References: <CAAAwwbUvN4WB5awfV=v3MZ0K+YxONCvqB=7Gq7iWwbiGUyK8Bw@mail.gmail.com> <CE9EFB1C.7CDD8%[email protected]> <[email protected]>

In message <20131106033003.GB6728 at dyn.com>, Andrew Sullivan writes:
> On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote:
> > 
> > I think every major residential ISP in the US has been doing this for 5+
> > years now.
> 
> Comcast doesn't, because it breaks DNSSEC.

Only if you are validating.

BIND suppports DNSSEC aware NXDOMAIN redirection.  If the NXDOMAIN
response is verifiable and you set DO=1 on the query the redirection
will not occur.

Similar logic is implemented in DNS64 support.

> A
> 
> -- 
> Andrew Sullivan
> Dyn, Inc.
> asullivan at dyn.com
> v: +1 603 663 0448
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

Follow-Ups:
- DNS and nxdomain hijacking
  - From: Jason_Livingood at cable.comcast.com (Livingood, Jason)

References:
- DNS and nxdomain hijacking
  - From: mysidia at gmail.com (Jimmy Hess)
- DNS and nxdomain hijacking
  - From: bedard.phil at gmail.com (Phil Bedard)
- DNS and nxdomain hijacking
  - From: asullivan at dyn.com (Andrew Sullivan)

Prev by Date: How anti-NSA backlash could fracture the Internet along national borders - The Washington Post
Next by Date: Level3 and AT&T Latency
Previous by thread: DNS and nxdomain hijacking
Next by thread: DNS and nxdomain hijacking
Index(es):
- Date
- Thread