[Dshield] Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new

Kenneth Porter shiva at sewingwitch.com
Wed Sep 17 10:27:44 GMT 2003

--On Tuesday, September 16, 2003 10:28 PM -0700 Brian Hatch 
<full-disclosure at ifokr.org> wrote:

> Is it always returning the same IP address, or have any other
> noticeable characteristics?  If so I'd think we could set up
> a firewall rule to drop all DNS replies that contain the
> Verisign-be-damned IP address.  That'd protect everything,
> regardless of name server or method of access (using
> host/nslookup/etc manually.)

It returns the same address *for now*, and Verisign returns a different 
address than the registrars of other TLD's (ie. 2-letter country codes).

I believe the BIND solution will be to check for an address that matches 
the one returned for a wildcard query in the same zone (which will be 
cached). You'll need to enable this feature per-zone, so you'll want 
entries for all the country code TLD's that do this, as well.

More information about the list mailing list