Subject: Re: DNS Blacklist feature
To: None <darcy@NetBSD.org>
From: M Graff <firstname.lastname@example.org>
Date: 11/07/2007 10:45:17
-----BEGIN PGP SIGNED MESSAGE-----
D'Arcy J.M. Cain wrote:
> How do we feel about a mod to the resolver library to implement a DNS
> blacklist? Verizon and others are starting to resurrect sitefinder on
> a local basis. It occurs to me that one self-defense mechanism would
> be the ability to add a line to /etc/resolv.conf that declares certain
> IP addresses as evil^H^H^H^Hinaccurate and treat responses with those
> addresses as returning NXDOMAIN. This would allow users behind those
> hijacking DNS servers to identify and redirect the redirection.
I don't know how I feel about DNS blacklists, but I do feel it should
not go in /etc/resolv.conf. That file is sort of "owned" by dhclient
when I use it, and it's hard to change major parts of it.
Also, I might want to subscribe to a published "ISPs suck" DNS server
blacklist, so perhaps I'd use wget, rsync, etc. to fetch daily copies
from a trusted source.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
-----END PGP SIGNATURE-----