Re: Earthlink Contact - DNS cache poisoning
On Sat, Sep 24, 2011 at 9:21 PM, Will Dean wrote: > > On Sep 24, 2011, at 9:07 PM, Christopher Morrow wrote: > >> On Sat, Sep 24, 2011 at 8:51 PM, Jimmy Hess wrote: >> I think actually.. earthlink uses barefruit? (or they did when ... >> kaminsky was off doing his destruction of the dns liars gangs...) >> Maybe the same backend is used though for the advertizer side? >> (barefruit provides the appliance, some third-party is the >> advertiser/website-host... same for paxfire?) >> > > Barefruit was just for returning a search engine result for a NXDOMAIN > response. ah, paxfire does the same... > > It appears Earthlink is now using Paxfire to sniff and proxy a users traffic > to at least one popular website. Besides the obvious privacy implications, it > introduces a nice captcha on Google. hrm, they could simply use the appliances to answer: "www.google.com -> jomax.net-ns-answer" which is a frontend simply 30[24]'ing off to the jomax-esque site... Oh, you get the captcha though via earthlink? that sucks :( -chris
Re: Earthlink Contact - DNS cache poisoning
On Sep 24, 2011, at 9:07 PM, Christopher Morrow wrote: > On Sat, Sep 24, 2011 at 8:51 PM, Jimmy Hess wrote: > I think actually.. earthlink uses barefruit? (or they did when ... > kaminsky was off doing his destruction of the dns liars gangs...) > Maybe the same backend is used though for the advertizer side? > (barefruit provides the appliance, some third-party is the > advertiser/website-host... same for paxfire?) > Barefruit was just for returning a search engine result for a NXDOMAIN response. It appears Earthlink is now using Paxfire to sniff and proxy a users traffic to at least one popular website. Besides the obvious privacy implications, it introduces a nice captcha on Google. - Will
Re: Earthlink Contact - DNS cache poisoning
On Sat, Sep 24, 2011 at 8:51 PM, Jimmy Hess wrote: > On Sat, Sep 24, 2011 at 7:43 PM, Will Dean wrote: > > The "JOMAX.NET" response is indicative that there's a Paxfire box > in the mix, > intercepting the DNS query (probably installed by the ISP). > I think actually.. earthlink uses barefruit? (or they did when ... kaminsky was off doing his destruction of the dns liars gangs...) Maybe the same backend is used though for the advertizer side? (barefruit provides the appliance, some third-party is the advertiser/website-host... same for paxfire?) > >> Anyone out there in Earthlink land? I am seeing what looks to be a cache >> poisoning attack on ns1.mindspring.com. > >> ;; AUTHORITY SECTION: >> www.google.com. 65535 IN NS WSC2.JOMAX.NET. >> www.google.com. 65535 IN NS WSC1.JOMAX.NET. > > > -- > -JH > >
Re: Earthlink Contact - DNS cache poisoning
On Sat, Sep 24, 2011 at 7:43 PM, Will Dean wrote: The "JOMAX.NET" response is indicative that there's a Paxfire box in the mix, intercepting the DNS query (probably installed by the ISP). > Anyone out there in Earthlink land? I am seeing what looks to be a cache > poisoning attack on ns1.mindspring.com. > ;; AUTHORITY SECTION: > www.google.com. 65535 IN NS WSC2.JOMAX.NET. > www.google.com. 65535 IN NS WSC1.JOMAX.NET. -- -JH