On Sat, Aug 06, 2011 at 01:25:18PM -0500, Jimmy Hess wrote: > On Sat, Aug 6, 2011 at 12:08 PM, Joe Provo <nanog-p...@rsuc.gweep.net>wrote: > > > On Sat, Aug 06, 2011 at 10:41:10AM -0400, Scott Helms wrote: > > > Correct, I don't believe that any of the providers noted are actually > > [snip] > > Disappointing that nanog readers can't read > > http://www.paxfire.com/faqs.php and get > > a clue, instead all the mouth-flapping about MItM and https. a clue, > > instead all the mouth-flapping about MItM and https. While > > > Maybe instead of jumping to the conclusion NANOG readuers should "get a > clue", > you should actually do a little more research than reading a glossyware/ > vacant FAQ that doesn't actually explain everything Paxfire is reported to > do, how it works, and what the criticism is?
I'm not jumping to conclusions, merely speaking to evidence. My personal experience involves leaving a job at a network that insisted on implementing some of this dreck. There is a well-known, long-standing "monetization" by breaking NXDOMAIN. DSLreports and plenty of other end-user fora have been full of information regarding this since Earthlink starded doing it in ... 2006? > Changing NXDOMAIN queries to an ISP's _own_ recursive servers is old hat, > and not the issue. That sentence makes no sense. Hijacking NXDOMAIN doesn't have anything to do with pointing to a recursive resolver, but returning a partner/ affiliate web site, search "helper" site or proxy instead of the NXDOMAIN. > What the FAQ doesn't tell you is that the Paxfire appliances can tamper > with DNS > traffic received from authoritative DNS servers not operated by the ISP. > A paxfire box can alter NXDOMAIN queries, and queries that respond with > known search engines' IPs. > to send your HTTP traffic to their HTTP proxies instead. > > Ty, http://netalyzr.icsi.berkeley.edu/blog/ This is finally something new, and I retract my assertion that the new scientist got it wrong. Drilling through to actual evidence and details, rather than descriptions which match previous behavior, we have both http://www.usenix.org/event/leet11/tech/full_papers/Zhang.pdf (a little indirect with 'example.com', etc) and http://www.payne.org/index.php/Frontier_Search_Hijacking (with actual domains) provide detail on the matter. Cheers! Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG
