All,
I've noticed a lot more nxdomain redirects on providers (cox, uverse, tmo, etc.) networks lately. How is this being done?? Is it a magic box or some kind of subscription service?
Are any of you doing it?
//warren
I've noticed a lot more nxdomain redirects on providers (cox, uverse, tmo,
I believe these ISPs have been servicing a mucked up recursive DNS like
this for quite a while.
Yes, this traffic hijacking and modification of DNS server replies is very
uncool for users. Yes, they do it anyways, on their own recursive DNS
servers; which they can do of course, on their own DNS servers.
etc.) networks lately. How is this being done?? Is it a magic box or some
kind of subscription service?
Both. There are multiple providers specializing in ISP DNS traffic
monetization, that are well-known, with multiple articles about them; you
redirect DNS traffic, or insert a sniffer box between recursive DNS
servers and users, the hijacking provider monetizes the NXDOMAIN traffic,
the ISP gets a small share.
I won't be surprised if they have 50 salesmen monitoring this list,
trampling each other to be the first to respond to your 'solicitation' now
<G>
Are any of you doing it?
I only know of very large residential providers doing it.
This is believed to not be something Enterprise IT or business clients
will tolerate, of their ISP.
For one thing, NXDOMAIN response tampering breaks DNS-based spam
filtering / hostname verification features.
I think every major residential ISP in the US has been doing this for 5+
years now. I worked at one provider who made a pretty decent chunk of
change off the monthly ad revenue and that was 6 years ago. People typo a
lot of URLs.
Charter (my current ISP) does let you disable it via the web.
Phil
Just as a side note, I don't think MS supports NXDOMAIN redirections yet, which is rather surprising.
Given I highly doubt anyone is using this external resolvers, which redirection is usually for.
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
F: 610-429-3222
Comcast doesn't, because it breaks DNSSEC.
A
http://en.wikipedia.org/wiki/Response_policy_zone
RPZ functionality has been widely adopted in the past few years. Also
known as "DNS Firewall".
>
> I think every major residential ISP in the US has been doing this for 5+
> years now.Comcast doesn't, because it breaks DNSSEC.
Only if you are validating.
BIND suppports DNSSEC aware NXDOMAIN redirection. If the NXDOMAIN
response is verifiable and you set DO=1 on the query the redirection
will not occur.
Similar logic is implemented in DNS64 support.
You can find a fairly good overview at http://tools.ietf.org/html/draft-livingood-dns-redirect-03
Comcast does not do this, see http://corporate.comcast.com/comcast-voices/comcast-domain-helper-shuts-down
Jason Livingood (Comcast)
There¹s less money in it that you¹d think and the monetization rates are
declining.
Jason
Exactly. And this was one of the central arguments that helped defeat the
DNS redirection portions of SOPA/PIPA/ProtectIP/COICA.
Jason
Are any of you doing it?
At one time we did.
The money just wasn't worth the hassle. I kept a close eye on our reports and the dollar amounts just kept falling. And IIRC, Google would not team with you to do it, you had to redirect to Yahoo or Bing.
sam