tech-kern: Re: DNS Blacklist feature

Subject: Re: DNS Blacklist feature
To: None <darcy@NetBSD.org>
From: Michael Lorenz <macallan@netbsd.org>
List: tech-kern
Date: 11/05/2007 16:17:59
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

On Nov 5, 2007, at 16:06, D'Arcy J.M. Cain wrote:

> How do we feel about a mod to the resolver library to implement a DNS
> blacklist?  Verizon and others are starting to resurrect sitefinder on
> a local basis.  It occurs to me that one self-defense mechanism would
> be the ability to add a line to /etc/resolv.conf that declares certain
> IP addresses as evil^H^H^H^Hinaccurate and treat responses with those
> addresses as returning NXDOMAIN.  This would allow users behind those
> hijacking DNS servers to identify and redirect the redirection.

EarthLink pulled similar crap a while ago - they do however have a  
few spare DNS servers that do not redirect any failed lookup to some  
crummy search site. Took me almost a day to find the IPs, they were  
well hidden on their customer support site. Prior to that I just had  
a hosts entry that redirected earthlink's sitefinder knockoff to  
localhost.
There are also quite a few DNS servers that answer queries coming  
from outside their own network, earthlink's for instance ( at least  
those that don't do crummy redirections do answer queries from  
outside earthlink's IP range ).

have fun
Michael
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iQEVAwUBRy+Ie8pnzkX8Yg2nAQJbqgf/UesxqFrJzLOYtc0SYSCyvtfi0UAbPiif
irNxAKvcpzRbhDkIby5QILk5Kikwee+K01Xo+jSfxdClN4xtpqIXidiWIgrzEQgk
QgPjWQXLc3l9eOHFpEuTA45PFT7Uh2XCirtV+YHWxNCnYx+aNckiNQ7rayUld/Wy
eh/aXVkPZEXYrp2JzGQxOXFUQNK13k28TsXJC8IhhAoyAn3QiRtyOuSFN/TA2SX5
rAL+WPTFNwfLua/57tCPENLbKcMGGK5D8fWYqkM5rXbDKDWVxBetSWyt+VE0IVp2
e7T4j7FpskxIyG4C/0z+1ia34UdkeUvDWaC9sqURZIKG5UbX3pW3OA==
=EsIa
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iQEVAwUBRy+Ih8pnzkX8Yg2nAQLJGQf/ZFujYX5yypBgrbl09osePQr9qKxX5jHo
fIPHqhx5FiGZ4UccEhAR+y/KTlEfiMQbdHqV7x19oBRD80fp3SBtaG88rSWU3QX0
JWupABTwWYay39+VPstx1hERn3JenHWh95p1Yb3jJu2EOZoisuwqaR0i8BZSnTE6
hFooFkxnFQT7oDZ3krQNo0hSUuGUB2z0XAIyLRFkbs7CgEl68ju85AuPBArB7D8w
M5B+4qKjoqjteHsQMqUHeqqJldPq2KQFQV4vOTHHi0R/OiR8DD/dCvIHyiiHyU3N
mAOQx1RY/5ju6wRrJfxTvIBK3cEihzbPjTk+WxSMv9poLoPp9iGajg==
=26FJ
-----END PGP SIGNATURE-----