<div dir="ltr"><br><div>Seems to be specific resolvers getting targeted with simple no-export routes within the ISPs. Intercepting all :53 traffic would look pretty different.</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Sat, Mar 29, 2014 at 6:28 PM, Dave Warren <span dir="ltr"><<a href="mailto:davew@hireahit.com" target="_blank">davew@hireahit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  
    
  
  <div bgcolor="#FFFFFF" text="#000000"><div class="">
    <div>On 2014-03-29 18:20, Colm MacCárthaigh
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr"><br>
        <div>You're right, one of the many whoami records would work
          too, but I usually avoid those for two reasons;  1. users
          mostly don't know how to make DNS queries and often copy the
          wrong IP address back in their reports, and 2) the response is
          cacheable and so unreliable when your resolver has multiple
          IPs, or if you're testing several resolvers from behind a
          caching stub resolver. So I wrote the HTTP/Javscript interface
          with a cache buster to get rid of the problem.</div>
        <div><br>
        </div>
        <div>HackerNews user  <a href="https://news.ycombinator.com/user?id=erhanerdogan" style="color:rgb(130,130,130);text-decoration:none;font-family:Verdana;font-size:11px;background-color:rgb(246,246,239)" target="_blank">erhanerdogan</a> got
          back to me with a report: <a href="https://news.ycombinator.com/item?id=7494650" target="_blank">https://news.ycombinator.com/item?id=7494650</a> </div>
        <div><br>
        </div>
        <div>Which looks like Google/OpenDNS are being replaced, rather
          than MITM'd or proxied. But I'd still be interested in more
          data. </div>
        <br>
      </div>
    </blockquote>
    <br></div>
    Is it just Google/OpenDNS or all :53 traffic? Is recursive vs not a
    factor? Most interesting indeed.<span class="HOEnZb"><font color="#888888"><br>
    <pre cols="72">-- 
Dave Warren
<a href="http://www.hireahit.com/" target="_blank">http://www.hireahit.com/</a>
<a href="http://ca.linkedin.com/in/davejwarren" target="_blank">http://ca.linkedin.com/in/davejwarren</a>

</pre>
  </font></span></div>




<br>_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations<br>
dns-jobs</a> mailing list<br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-jobs" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-jobs</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Colm
</div>