North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS Hijacking by Cox

  • From: John C. A. Bambenek
  • Date: Sun Jul 22 22:32:13 2007
  • Dkim-signature: a=rsa-sha1; c=relaxed/relaxed;; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=semCtFx4STTG/9pImNL3sHpMmn13XhkTbRl8Tm014tFHIIVILnnM/NnkfilY7CRqLnF0KofrRuPcJGkJK3AP3xCi9XoYigpyZ72TWgCEXxFAXhLd3wUfP6kI0MbaJhgEXA6mgAfP8/L6lC3bY++pEeZMbz2uUGXORHdDofRTpuE=
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=P1j4Rrqiva92qvmPDtJ8THxiQgq5GOawCBb7coNHcvlpXL6Tl8i3ycDTQaThKvvniVWubeQS7qVaFWY820u8bmkhM/xCVJ/+O4HqpbpJilZOdPMB6p5EDU7nhSL4/Hk8I/kNgs6xErZHxDn4YP1KmZd1KnCGarkIXLRd4h/x5co=

Is there any indication that they've done anything other than make themselves authoritative for those DNS names and simply sent you to their IRC server instead? If so, what they have done is pretty much legal (mostly because I'm quite sure there is something in their ToS which you implicitly accepted which allows them to do this). Under net neutrality, it might be a different story.

Let's be honest, it's a band-aid lowtech fix for lowtech script
kiddies who right code like a bunch of apes with keyboards.  However,
for anyone with a remote amount of clue, they could get around this
problem in approximately 1.6 seconds with their malware.

But to get straight to the point, Cox sucks, always has.  Maybe it's
time for a real ISP?


On 7/22/07, Steven M. Bellovin <[email protected]> wrote:

On Sun, 22 Jul 2007 21:40:05 -0400 "Patrick W. Gilmore" <[email protected]> wrote:

> On Jul 22, 2007, at 9:29 PM, Steven M. Bellovin wrote:
> > On Sun, 22 Jul 2007 14:56:13 -0700
> > "Andrew Matthews" <[email protected]> wrote:
> >
> >> It looks like cox is hijacking dns for irc servers.
> >>
> > And people wonder why I support DNSsec....
> Steve,
> One of us is confused.  It might be me, but right now I think it's
> you.
> To be clear, here is the situation as I understand it: Cox has
> configured their recursive name servers such that when an end user
> queries the recursive server for a specific host name (names?), the
> recursive server responds with an IP address the host's owner did not
> configure.
> How exactly is DNSSEC going to stop them from doing this?
If my host expects the response to be signed and it isn't, my host can
scream bloody murder.  The whole point of DNSSEC is to prevent random
changes to DNS replies, whether by hackers or by ISPs.

Yes, they can change it, but they can't change it without being caught.

--Steve Bellovin,

/* [email protected] is an alias for all ISC handlers.
   Please include the list in all replies to keep everyone informed.
   You may receive more than one response */