Hello and welcome to the Wednesday, May 8, 2004 edition of the Sands and its Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from San Francisco, California.

Well, I think I mentioned on Monday or last Friday that I'm going to talk a little bit more about DNS this week.

The article that I published earlier today is about DNS spoofing done by ISPs,

in this particular case by Comcast or Xfinity.

It actually all started with me not being able to get to bleepingcom.com. You may know

that security news site. Well, it turned out that Comcast identified the website as malicious

for some reason, something that often happened sort of as a false positive for securing new sites like this,

and certainly at the Internet Storm Center, we have had issues with that in the past as well.

Now, Comcast is not just blocking the responses from its own DNS servers, but it actually

appears to be actively intercepting DNS queries to any DNS server.

And I'm talking a little bit about how to identify if your ISPs doing that.

Sort of I find the best way to actually figure out if your traffic is intercepted,

part of using DNSSEC, which of course is not always supported,

is that you take a look at how long responses take. If responses are very consistent, no matter what

DNS server you're using, and as an example here with Comcast, I'm actually using a Chinese

DNS server that has exactly the same response time as any other DNS server that I've tried with

Comcast. Another method that's not always as telling is looking at the PTL values being returned, whether or not they're

basically consistent across these different DNS servers. Whenever a recursive DNS server is

caching DNS response, it will start decreending its time to live, depending on how long it's already sitting in the cache.

And if you have multiple DNS servers that are actually just one DNS server,

then the time to live between these DNS servers will be consistent,

...