Subject: Re: DNS Blacklist feature
To: None <>
From: Matthew Mondor <>
List: tech-kern
Date: 11/06/2007 14:52:39
On Monday, 5 Nov 2007 4:07:04
"D'Arcy J.M. Cain" <> wrote:

> How do we feel about a mod to the resolver library to implement a
> DNSblacklist?  Verizon and others are starting to resurrect
> sitefinder ona local basis.  It occurs to me that one self-defense
> mechanism wouldbe the ability to add a line to /etc/resolv.conf
> that declares certainIP addresses as evil^H^H^H^Hinaccurate and
> treat responses with thoseaddresses as returning NXDOMAIN.  This
> would allow users behind thosehijacking DNS servers to identify
> and redirect the redirection.

I noticed that my ISP deployed something similar lately but I solved
the problem at the LAN caching DNS server (using higher order DNS
servers rather than the ISP's).  I guess that another way would be to
use ipfilter or route as well...  What you suggest also seems like a
good idea to me.

I actually was considering filling a complaint to my ISP about it :)
Matthew Mondor