On Mon, 5 Nov 2007 21:42:44 +0000
"Steven M. Bellovin" <smb@cs.columbia.edu> wrote:
> And the feature won't help.  This nonsense is implemented by Verizon in
> their customer-facing caching servers, whose addresses are handed out
> by dhcp.  You can even opt out, in which case you get different IP
> addresses, per
> http://netservices.verizon.net/portal/link/help/item?case=c32535 (tell
> the form you're using FIOS and Verizon Online).

Perhaps I am not explaining myself clearly.  The feature doesn't change
the server that you use for DNS.  It is meant to examine resonses from
any server that you may be using and if you get a "bad" response it
treats it as NXDOMAIN response.  A "bad" response is one that matches
the IPs that you list.

Perhaps an example.

Let's say that I have a DSL modem that picks up my ISP's nameserver
automatically and I use the modem's DNS server on my NetBSD box behind
the modem.  I ftp from ftp.NetBSD.ogr.  The ISP catches my typo and
returns IP 1.2.3.4 which is it's own "helpful" web server.  Since it is
not an ftp server I wind up thinking that NetBSD's ftp server is down.

If I find out that my ISP is redirecting misses to 1.2.3.4 I go
into /etc/resolv.conf and add a line that says that 1.2.3.4 is a "bad"
IP.  Now whenever I make a mistake I get a proper response that the
host address I typed is invalid and I can fix my error right away.

-- 
D'Arcy J.M. Cain <darcy@NetBSD.org>
http://www.NetBSD.org/