On 2010-01-27, at 02:03, Bradley Scarisbrick wrote:
Is anyone out there aware of any providers in New Zealand making use of DNS interception? I know this has been done in the US and some other countries in the past (and probably present as well).
I'd be interested to hear if anyone has any information about this
This motel in Hamilton has it. They redirect UDP/53 packets directed to anywhere other than their own nameservers to a separate box, and then send you a reply from an unexpected source address so that your local resolver throws it away. It's all very special. Incidentally, as you might have noticed from Mehmet's announcement a little while ago we're getting close to finishing the roll-out of a DNSSEC-signed root zone across L-Root. If anybody observes any interesting effects, I'd be very happy to hear about them. See http://www.root-dnssec.org/ for details of what we're up to. I hope to have some initial graphs showing the effect on traffic by the time I talk about this on Friday. Joe [calamari:~]% dig @L.ROOT-SERVERS.NET . DNSKEY +norec +dnssec ; <<>> DiG 9.4.3-P3 <<>> @L.ROOT-SERVERS.NET . DNSKEY +norec +dnssec ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24752 ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN DNSKEY ;; ANSWER SECTION: . 86400 IN DNSKEY 256 3 8 AwEAAa1Lh++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU LD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MOR E/INFORMATION+++++++++++++++++++++++++++++++++++++++++++ +++++++8 . 86400 IN DNSKEY 257 3 8 AwEAAawBe++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU LD/NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICANN/DOT/ORG/FOR/MOR E/INFORMATION+++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++8= . 86400 IN RRSIG DNSKEY 8 0 86400 20100204235959 20100121000000 19324 . NO9bHgWYB3wQlVZXQKwDGUjTgIyfz1i8aWH8nBlT5isnYbr6PTfR4fWl Sx8+avFfR0fVekauaQelKOyiUav4H9Y1AZ2OBguu7RjozQu1qErKboWd 1NglIIOGar0Ol4Ur9+4bo2LSxjp/X4ESypW0lX04z5uB6DZZei1zafzR GUnLIMdV9xdKEOJrm9UCKvYK5g8bjRq8KA8vT+pidexZMrBQ3ie8R9da f/s6VK7zUJK0jF1vqhPbZFSQmBpJUlxh4VnOv7nnhcq4Moj49wqmNxKR qfvSwHAJBG6dEgShnlu/rfVsdxfFUCjIGX8YnSC7lYqODwgUGh+i/arA AK+bzg== ;; Query time: 118 msec ;; SERVER: 199.7.83.42#53(199.7.83.42) ;; WHEN: Wed Jan 27 13:46:53 2010 ;; MSG SIZE rcvd: 736 [calamari:~]% [calamari:~]% dig @L.ROOT-SERVERS.NET NZ +norec +dnssec ; <<>> DiG 9.4.3-P3 <<>> @L.ROOT-SERVERS.NET NZ +norec +dnssec ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8180 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 12 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;NZ. IN A ;; AUTHORITY SECTION: nz. 172800 IN NS ns1.dns.net.nz. nz. 172800 IN NS ns2.dns.net.nz. nz. 172800 IN NS ns3.dns.net.nz. nz. 172800 IN NS ns4.dns.net.nz. nz. 172800 IN NS ns5.dns.net.nz. nz. 172800 IN NS ns6.dns.net.nz. nz. 172800 IN NS ns7.dns.net.nz. nz. 86400 IN NSEC om. NS RRSIG NSEC nz. 86400 IN RRSIG NSEC 8 1 86400 20100203080000 20100127070000 23763 . JbUXfqwKpL7QH8FU3MM6P7eroa8txXDuDn7yhx6ijuIuVjR8uQgEV3Py yThE3BTmYRow670K9BbGSbYBrqfdpmTJVD80na7TNsqpOWabbY9KI73j Q4wmlWItjYRTXuGOtzNGhBnYjv1VqtzGKVh4YCJ/LOzqNl3R+WCRcOVw 2hY= ;; ADDITIONAL SECTION: ns1.dns.net.nz. 172800 IN A 202.46.190.130 ns2.dns.net.nz. 172800 IN A 202.46.187.130 ns3.dns.net.nz. 172800 IN A 202.46.188.130 ns4.dns.net.nz. 172800 IN A 202.46.189.130 ns5.dns.net.nz. 172800 IN A 156.154.100.14 ns6.dns.net.nz. 172800 IN A 156.154.101.14 ns7.dns.net.nz. 172800 IN A 194.146.106.54 ns1.dns.net.nz. 172800 IN AAAA 2001:dce:2000:2::130 ns2.dns.net.nz. 172800 IN AAAA 2001:dce:4000:2::130 ns5.dns.net.nz. 172800 IN AAAA 2001:502:ad09::14 ns6.dns.net.nz. 172800 IN AAAA 2001:502:2eda::14 ;; Query time: 119 msec ;; SERVER: 199.7.83.42#53(199.7.83.42) ;; WHEN: Wed Jan 27 13:46:20 2010 ;; MSG SIZE rcvd: 574 [calamari:~]%