Re: Hey, SiteFinder is back, again...

> From: Steve Atkins <[EMAIL PROTECTED]> > Subject: Re: Hey, SiteFinder is back, again... > Date: Tue, 6 Nov 2007 13:07:14 -0800 > > On Nov 6, 2007, at 12:20 PM, Robert Bonomi wrote: > >> From: Barry Shein <[EMAIL PROTECTED]> > >> Date: Tue, 6

Re: Hey, SiteFinder is back, again...

On Nov 6, 2007 5:35 PM, Greg Skinner <[EMAIL PROTECTED]> wrote: > > [ snip ] > Hmmm. When using IE 7 on Windows Vista out of the box, and I give it > a non-existent domain, it prompts me to connect to a network (even if > I'm already connected to one). It also puts the browser in "work > offlin

Re: Hey, SiteFinder is back, again...

Bill Stewart wrote: > When Verisign hijacked the wildcard DNS space for .com/.net, they > encoded the Evil Bit in the response by putting Sitefinder's IP > address as the IP address. In theory you could interpret that as > damage and route around it, or at least build ACLs to block any > traffic

Re: Hey, SiteFinder is back, again...

On Nov 6, 2007, at 12:20 PM, Robert Bonomi wrote: From: Barry Shein <[EMAIL PROTECTED]> Date: Tue, 6 Nov 2007 13:05:26 -0500 Subject: Re: Hey, SiteFinder is back, again... Since this is verizon, one wonders why this has never been tried on wrong, non-working phone numbers?

Re: Hey, SiteFinder is back, again...

> From: Barry Shein <[EMAIL PROTECTED]> > Date: Tue, 6 Nov 2007 13:05:26 -0500 > Subject: Re: Hey, SiteFinder is back, again... > > Since this is verizon, one wonders why this has never been tried on > wrong, non-working phone numbers? > > Visit your local ch

Re: Hey, SiteFinder is back, again...

Since this is verizon, one wonders why this has never been tried on wrong, non-working phone numbers? Visit your local chevy dealer, no interest for 12 months! We're sorry, the number you have reached is it illegal? How long before they'll just make you sit thru a few seconds o

Re: Hey, SiteFinder is back, again...

On Mon, 5 Nov 2007 23:46:08 -0800 "Christopher Morrow" <[EMAIL PROTECTED]> wrote: > > On 11/5/07, Eliot Lear <[EMAIL PROTECTED]> wrote: > > > > > Cough. So, how much is that NXDOMAIN worth to you? > > So, here's the problem really... NXDOMAIN is being judged as a > 'problem'. It's really only

RE: Hey, SiteFinder is back, again...

ittle jerky. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stefan Bethke Sent: Monday, November 05, 2007 11:38 PM To: Stephane Bortzmeyer Cc: nanog@merit.edu Subject: Re: Hey, SiteFinder is back, again... Am 05.11.2007 um 17:16 schrieb Ste

Re: Hey, SiteFinder is back, again...

On 11/5/07, Eliot Lear <[EMAIL PROTECTED]> wrote: > > Cough. So, how much is that NXDOMAIN worth to you? So, here's the problem really... NXDOMAIN is being judged as a 'problem'. It's really only a 'problem' for a small number of APPLICATIONS on the Internet. One could even argue that in a web-

Re: Hey, SiteFinder is back, again...

David Conrad wrote: > > On Nov 5, 2007, at 2:13 PM, Bora Akyol wrote: >> Do common endpoints (Windows Vista/XP, MacOS X 10.4/5) support DNSSEC >> Validation? If not, then do people have a choice? > > Yes and no. Of course, nobody supports the "Evil bit" today, so some change would be necessary on

Re: Hey, SiteFinder is back, again...

Am 05.11.2007 um 17:16 schrieb Stephane Bortzmeyer: 3) Provide DNS recursors which do the mangling *and* block users, either by filtering out port 53 or by giving them a RFC 1918 address with no NAT for this port. I've seen 1) and 2) in the wild and I am certain I will see 3) one day or the ot

Re: Hey, SiteFinder is back, again...

> Mark, > > On Nov 5, 2007, at 5:31 PM, Mark Andrews wrote: > > All you have to do is move the validation to a machine you > > control to detect this garbage. > > You probably don't need to bother with DNSSEC validation to stop the > Verizon redirection. All you need do is run a cach

Re: Hey, SiteFinder is back, again...

Mark, On Nov 5, 2007, at 5:31 PM, Mark Andrews wrote: All you have to do is move the validation to a machine you control to detect this garbage. You probably don't need to bother with DNSSEC validation to stop the Verizon redirection. All you need do is run a caching server

Re: Hey, SiteFinder is back, again...

In article <[EMAIL PROTECTED]> you write: > >On Nov 5, 2007, at 8:23 AM, David Lesher wrote: >> What affect will Allegedly Secure DNS have on such provider >> hijackings, both of DNS and crammed-in content? > >If what Verizon is doing is rewriting NXDOMAIN at their caching >servers, DNSSEC will

Re: Hey, SiteFinder is back, again...

In article <[EMAIL PROTECTED]> you write: > >On Sun, 4 Nov 2007 11:52:11 -0500 (EST) >Sean Donelan <[EMAIL PROTECTED]> wrote: > >> I just wish the IETF would acknowledge this and go ahead and define a >> DNS bit for artificial DNS answers for all these "address correction" and >> "domain parking"

Re: Hey, SiteFinder is back, again...

On Nov 5, 2007, at 2:13 PM, Bora Akyol wrote: Do common endpoints (Windows Vista/XP, MacOS X 10.4/5) support DNSSEC Validation? If not, then do people have a choice? Yes and no. If you run your own caching server and that caching server supports DNSSEC and you enable DNSSEC and set up/maint

Re: Hey, SiteFinder is back, again...

Do common endpoints (Windows Vista/XP, MacOS X 10.4/5) support DNSSEC Validation? If not, then do people have a choice? Regards Bora On 11/5/07 11:54 AM, "Steven M. Bellovin" <[EMAIL PROTECTED]> wrote: > > On Mon, 5 Nov 2007 11:17:29 -0800 > David Conrad <[EMAIL PROTECTED]> wrote: > >> On

Re: Hey, SiteFinder is back, again...

David Conrad wrote: > > As an aside, I note that Verizon is squatting on address space allocated > to APNIC. From the self-help web page offered to opt out of this > "service" (specific to the particular hardware customers might be using, > e.g., http://netservices.verizon.net/portal/link/help/i

Re: Hey, SiteFinder is back, again...

On Nov 5, 2007, at 11:54 AM, Steven M. Bellovin wrote: On Nov 5, 2007, at 8:23 AM, David Lesher wrote: What affect will Allegedly Secure DNS have on such provider hijackings, both of DNS and crammed-in content? If what Verizon is doing is rewriting NXDOMAIN at their caching servers, DNSSEC wi

Re: Hey, SiteFinder is back, again...

On Mon, 5 Nov 2007 11:17:29 -0800 David Conrad <[EMAIL PROTECTED]> wrote: > On Nov 5, 2007, at 8:23 AM, David Lesher wrote: > > What affect will Allegedly Secure DNS have on such provider > > hijackings, both of DNS and crammed-in content? > > If what Verizon is doing is rewriting NXDOMAIN at th

Re: Hey, SiteFinder is back, again...

On Mon, 5 Nov 2007 17:16:11 +0100 Stephane Bortzmeyer <[EMAIL PROTECTED]> wrote: > > On Mon, Nov 05, 2007 at 10:54:05AM -0500, > Andrew Sullivan <[EMAIL PROTECTED]> wrote > a message of 29 lines which said: > > > One could argue that it is less evil to do this at recursive > > servers, becaus

Re: Hey, SiteFinder is back, again...

On Nov 5, 2007, at 8:23 AM, David Lesher wrote: What affect will Allegedly Secure DNS have on such provider hijackings, both of DNS and crammed-in content? If what Verizon is doing is rewriting NXDOMAIN at their caching servers, DNSSEC will _not_ help. Caching servers do the validation an

Re: Hey, SiteFinder is back, again...

I think ICANN should probably come out and specify that doing wildcard matchin on TLD delegations is Not A Good thing. You mean like http://www.icann.org/committees/security/sac015.htm ? Regards, -drc

Re: Hey, SiteFinder is back, again...

Hi, Based on the procedures they document to opt-out, doesn't look like Sitefinder-like authoritative wildcarding. Looks more like caching server NXDOMAIN rewriting. If so, easy to get around: just run your own caching server. Also means you can't defeat this using DNSSEC (if it was a

Re: Hey, SiteFinder is back, again...

On Mon, Nov 05, 2007 at 11:52:02AM -0500, Patrick W. Gilmore wrote: > authority for a TLD is bad, because most people don't have a choice of > TLD. (Or at least think they don't.) I don't think that's the reason; I think the reason is that someone who needs to rely on Name Error can't do it, i

Re: Hey, SiteFinder is back, again...

When Verisign hijacked the wildcard DNS space for .com/.net, they encoded the Evil Bit in the response by putting Sitefinder's IP address as the IP address. In theory you could interpret that as damage and route around it, or at least build ACLs to block any traffic to that IP address except for

Re: Hey, SiteFinder is back, again...

On Sun, 4 Nov 2007 11:52:11 -0500 (EST) Sean Donelan <[EMAIL PROTECTED]> wrote: > I just wish the IETF would acknowledge this and go ahead and define a > DNS bit for artificial DNS answers for all these "address correction" and > "domain parking" and "domain tasting" people to use for their keen

Re: Hey, SiteFinder is back, again...

On Nov 5, 2007, at 10:54 AM, Andrew Sullivan wrote: On Sun, Nov 04, 2007 at 08:32:25AM -0500, Patrick W. Gilmore wrote: A single provider doing this is not equivalent to the root servers doing it. You can change providers, you can't change "." in DNS. This is true, but Verisign wasn't doing

Re: Hey, SiteFinder is back, again...

On Nov 5, 2007, at 7:40 AM, Joe Greco wrote: Reinventing the DNS protocol in order to intercept odd stuff on the Web seems to me to be overkill and bad policy. Could someone kindly explain to me why the proxy configuration support in browsers could not be used for this, to limit the scope

Re: Hey, SiteFinder is back, again...

What affect will Allegedly Secure DNS have on such provider hijackings, both of DNS and crammed-in content? [Assuming we ever get to such; I know ASD is in line to deploy just after perpetual motion and honest politicians..] -- A host is a host from coast to [EMAIL PROTECTED] & no one will t

Re: Hey, SiteFinder is back, again...

On Mon, Nov 05, 2007 at 10:54:05AM -0500, Andrew Sullivan <[EMAIL PROTECTED]> wrote a message of 29 lines which said: > One could argue that it is less evil to do this at recursive > servers, because people could choose not to use that service by > installing their own full resolvers or whatev

Re: Hey, SiteFinder is back, again...

Andrew Sullivan (andrew) writes: > > The last time I heard a discussion of this topic, though, I heard > someone make the point that there's a big difference between > authority servers and recursing resolvers, which is the same sort of > point as above. That is, if you do this in the authority

Re: Hey, SiteFinder is back, again...

On Sun, Nov 04, 2007 at 08:32:25AM -0500, Patrick W. Gilmore wrote: > > A single provider doing this is not equivalent to the root servers > doing it. You can change providers, you can't change "." in DNS. This is true, but Verisign wasn't doing it on root servers, IIRC, but on the .com and .

Re: Hey, SiteFinder is back, again...

> Sean, > >> > >> Yes, it sounds like the evil bit. Why would anyone bother to set it? > > > > Two reasons > > > > 1) By standardizing the process, it removes the excuse for using > > various hacks and duct tape. > > > > 2) Because the villian in Bond movies don't view themselves as evil. > > Goo

Re: Hey, SiteFinder is back, again...

Sean, >> >> Yes, it sounds like the evil bit. Why would anyone bother to set it? > > Two reasons > > 1) By standardizing the process, it removes the excuse for using > various hacks and duct tape. > > 2) Because the villian in Bond movies don't view themselves as evil. > Google is happy to pre-ch

Re: Hey, SiteFinder is back, again...

* Sean Donelan: > I just wish the IETF would acknowledge this and go ahead and define a > DNS bit for artificial DNS answers for all these "address correction" > and "domain parking" and "domain tasting" people to use for their keen > "Web 2.0" ideas. > > And for all the other non-Web protocols w

Re: Hey, SiteFinder is back, again...

On Sun, 4 Nov 2007, Eliot Lear wrote: Sean Donelan wrote: I just wish the IETF would acknowledge this and go ahead and define a DNS bit for artificial DNS answers for all these "address correction" and "domain parking" and "domain tasting" people to use for their keen "Web 2.0" ideas. Yes, it

Re: Hey, SiteFinder is back, again...

Sean Donelan wrote: > I just wish the IETF would acknowledge this and go ahead and define a > DNS bit for artificial DNS answers for all these "address correction" > and "domain parking" and "domain tasting" people to use for their keen > "Web 2.0" ideas. Yes, it sounds like the evil bit. Why wo

Re: Hey, SiteFinder is back, again...

On Sun, 4 Nov 2007 11:52:11 -0500 (EST) Sean Donelan <[EMAIL PROTECTED]> wrote: > > And for all the other non-Web protocols which get confused, can treat > that artificially generated crap/answers like NXDOMAIN. Yes, I know > it sounds like the evil bit; but if these folks are so convinced > p

Re: Hey, SiteFinder is back, again...

On Sat, 3 Nov 2007, Christopher Morrow wrote: http://www.irbs.net/internet/nanog/0607/0139.html oops, I was right (kinda). I don't think we're going to put the genie back in the bottle, despite the best efforts of some IETFers. I just wish the IETF would acknowledge this and go ahead and def

Re: Hey, SiteFinder is back, again...

Patrick W. Gilmore wrote: Verizon != VeriSign, despite what people think. A single provider doing this is not equivalent to the root servers doing it. You can change providers, you can't change "." in DNS. Charter has been doing this for quite some time. If you have security/network/diag

Re: Hey, SiteFinder is back, again...

On Nov 4, 2007, at 1:52 AM, Christopher Morrow wrote: On 11/3/07, Allan Liska <[EMAIL PROTECTED]> wrote: I know this is just anecdotal, but I have Verizon FIOS in Northern Virginia and I have not seen sitefinder pop up. I just verified with a few sites to make sure. http://www.irbs.net/i

Re: Hey, SiteFinder is back, again...

On 11/3/07, Allan Liska <[EMAIL PROTECTED]> wrote: > > I know this is just anecdotal, but I have Verizon FIOS in Northern > Virginia and I have not seen sitefinder pop up. I just verified with a > few sites to make sure. > http://www.irbs.net/internet/nanog/0607/0139.html oops, I was right (ki

Re: Hey, SiteFinder is back, again...

I know this is just anecdotal, but I have Verizon FIOS in Northern Virginia and I have not seen sitefinder pop up. I just verified with a few sites to make sure. allan On Nov 3, 2007, at 11:40 PM, David Lesher wrote: www.consumeraffairs.com/news04/2007/11/verizon_search.html November

Hey, SiteFinder is back, again...

www.consumeraffairs.com/news04/2007/11/verizon_search.html November 3, 2007 Subscribers to Verizon's high-powered fiber-optic Internet service (FiOS) are reporting that when they mistype a Web site address, they get redirected to Verizon's own search engine page -- even if they don't have