[Dshield] Re: Verisign abusing .COM/.NET monopoly, BIND releases new
D. Ian Miller
miller at ucalgary.ca
Wed Sep 17 22:44:18 GMT 2003
FYI ... looks like Verisign has pulled the wildcard A record as we have
not patched but invalid domain searches no longer go to verisign ...
sitefinder-idn.verisign.com is no longer responding to queries ... maybe
someone got the message ... wonder how they will explain this one ...
Jose Nazario wrote:
>a number of options exist to help you remedy this issue:
> - bind 9.2.3rc2 supports "delegation-only", stopping some
> wildcard implementations from making any difference
>if you simply want to stop traffic getting there (they are running a
>website and a partially functional MTA on that IP):
> - you can BGP null route this
> - cisco's NBAR functionality may be used to detect and block those
> reply packets from coming in by looking for the response from
> the nameservers.
>note that this wont stop the query from reaching verisign, it will just
>stop you from going to that IP. however, for some enforcing network
>privacy concerns, that may be worthwhile.
>hope this helps,
>jose nazario, ph.d. jose at monkey.org
D. Ian Miller }8-)
University of Calgary
More information about the list