mailing list archives
Re: US internet providers hijacking users' search queries
From: Joe Provo <nanog-post () rsuc gweep net>
Date: Sun, 7 Aug 2011 12:10:30 -0400
On Sat, Aug 06, 2011 at 01:25:18PM -0500, Jimmy Hess wrote:
On Sat, Aug 6, 2011 at 12:08 PM, Joe Provo <nanog-post () rsuc gweep net>wrote:
On Sat, Aug 06, 2011 at 10:41:10AM -0400, Scott Helms wrote:
Correct, I don't believe that any of the providers noted are actually
Disappointing that nanog readers can't read
http://www.paxfire.com/faqs.php and get
a clue, instead all the mouth-flapping about MItM and https. a clue,
instead all the mouth-flapping about MItM and https. While
Maybe instead of jumping to the conclusion NANOG readuers should "get a
you should actually do a little more research than reading a glossyware/
vacant FAQ that doesn't actually explain everything Paxfire is reported to
do, how it works, and what the criticism is?
I'm not jumping to conclusions, merely speaking to evidence. My
personal experience involves leaving a job at a network that
insisted on implementing some of this dreck. There is a well-known,
long-standing "monetization" by breaking NXDOMAIN. DSLreports
and plenty of other end-user fora have been full of information
regarding this since Earthlink starded doing it in ... 2006?
Changing NXDOMAIN queries to an ISP's _own_ recursive servers is old hat,
and not the issue.
That sentence makes no sense. Hijacking NXDOMAIN doesn't have anything
to do with pointing to a recursive resolver, but returning a partner/
affiliate web site, search "helper" site or proxy instead of the
What the FAQ doesn't tell you is that the Paxfire appliances can tamper
traffic received from authoritative DNS servers not operated by the ISP.
A paxfire box can alter NXDOMAIN queries, and queries that respond with
known search engines' IPs.
to send your HTTP traffic to their HTTP proxies instead.
This is finally something new, and I retract my assertion that the new
scientist got it wrong. Drilling through to actual evidence and details,
rather than descriptions which match previous behavior, we have both
http://www.usenix.org/event/leet11/tech/full_papers/Zhang.pdf (a little
indirect with 'example.com', etc) and
http://www.payne.org/index.php/Frontier_Search_Hijacking (with actual
domains) provide detail on the matter.
RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG
Re: US internet providers hijacking users' search queries Anthony Pardini (Aug 06)