Subject: Re: DNS Blacklist feature
To: Darren Reed <darrenr@NetBSD.org>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-net
Date: 11/05/2007 21:42:44
On Mon, 05 Nov 2007 13:37:01 -0800
Darren Reed <darrenr@NetBSD.org> wrote:

> Moving this to tech-net...
> 
> D'Arcy J.M. Cain wrote:
> > How do we feel about a mod to the resolver library to implement a
> > DNS blacklist?  Verizon and others are starting to resurrect
> > sitefinder on a local basis.  It occurs to me that one self-defense
> > mechanism would be the ability to add a line to /etc/resolv.conf
> > that declares certain IP addresses as evil^H^H^H^Hinaccurate and
> > treat responses with those addresses as returning NXDOMAIN.  This
> > would allow users behind those hijacking DNS servers to identify
> > and redirect the redirection. What exactly is the problem?
> Queries for non-existant names returns an A record that points
> to one of their web servers saying "welcome"?
> Do they do it when recursion is both enabled and disabled?
> 
See www.consumeraffairs.com/news04/2007/11/verizon_search.html

And the feature won't help.  This nonsense is implemented by Verizon in
their customer-facing caching servers, whose addresses are handed out
by dhcp.  You can even opt out, in which case you get different IP
addresses, per
http://netservices.verizon.net/portal/link/help/item?case=c32535 (tell
the form you're using FIOS and Verizon Online).


		--Steve Bellovin, http://www.cs.columbia.edu/~smb