On Mon, 05 Nov 2007 13:37:01 -0800
Darren Reed <darrenr@netbsd.org> wrote:
> Moving this to tech-net...
> 
> D'Arcy J.M. Cain wrote:
> > How do we feel about a mod to the resolver library to implement a DNS
> > blacklist?  Verizon and others are starting to resurrect sitefinder on
> > a local basis.  It occurs to me that one self-defense mechanism would
> > be the ability to add a line to /etc/resolv.conf that declares certain
> > IP addresses as evil^H^H^H^Hinaccurate and treat responses with those
> > addresses as returning NXDOMAIN.  This would allow users behind those
> > hijacking DNS servers to identify and redirect the redirection.
> 
> What exactly is the problem?
> Queries for non-existant names returns an A record that points
> to one of their web servers saying "welcome"?
> Do they do it when recursion is both enabled and disabled?

I didn't want to start the whole NANOG discussion here about why this
is a bad thing, see NANOG archives for that, but here is the short
answer.  What does your ssh/ftp/email/irc/etc client do with that
response?  The Internet != web pages.

-- 
D'Arcy J.M. Cain <darcy@NetBSD.org>
http://www.NetBSD.org/