[145008] in North American Network Operators' Group
Re: Earthlink Contact - DNS cache poisoning
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Sat Sep 24 21:08:46 2011
In-Reply-To: <CAAAwwbVY6W5tyE7dQbP1cUX_ExbFrAQW7KzGLOceS5G-dFRCog@mail.gmail.com>
Date: Sat, 24 Sep 2011 21:07:16 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Jimmy Hess <mysidia@gmail.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sat, Sep 24, 2011 at 8:51 PM, Jimmy Hess <mysidia@gmail.com> wrote:
> On Sat, Sep 24, 2011 at 7:43 PM, Will Dean <will@willscorner.net> wrote:
>
> The =A0"JOMAX.NET" =A0response is =A0indicative that there's a =A0Paxfire=
box
> in the mix,
> intercepting the DNS query =A0(probably installed by the ISP).
>
I think actually.. earthlink uses barefruit? (or they did when ...
kaminsky was off doing his destruction of the dns liars gangs...)
Maybe the same backend is used though for the advertizer side?
(barefruit provides the appliance, some third-party is the
advertiser/website-host... same for paxfire?)
>
>> Anyone out there in Earthlink land? I am seeing what looks to be a cache=
poisoning attack on ns1.mindspring.com.
>
>> ;; AUTHORITY SECTION:
>> www.google.com. =A0 =A0 =A0 =A0 65535 =A0 IN =A0 =A0 =A0NS =A0 =A0 =A0WS=
C2.JOMAX.NET.
>> www.google.com. =A0 =A0 =A0 =A0 65535 =A0 IN =A0 =A0 =A0NS =A0 =A0 =A0WS=
C1.JOMAX.NET.
>
>
> --
> -JH
>
>
