[Dshield] Re: Verisign abusing .COM/.NET monopoly, BIND releases new

D. Ian Miller miller at ucalgary.ca
Wed Sep 17 22:44:18 GMT 2003


FYI ... looks like Verisign has pulled the wildcard A record as we have 
not patched but invalid domain searches no longer go to verisign ... 
sitefinder-idn.verisign.com is no longer responding to queries ... maybe 
someone got the message ... wonder how they will explain this one ...

Jose Nazario wrote:

>a number of options exist to help you remedy this issue:
>
>	- bind 9.2.3rc2 supports "delegation-only", stopping some
>	  wildcard implementations from making any difference
>
>if you simply want to stop traffic getting there (they are running a
>website and a partially functional MTA on that IP):
>
>	- you can BGP null route this
>	  http://www.merit.edu/mail.archives/nanog/msg13715.html
>
>	- cisco's NBAR functionality may be used to detect and block those
>	  reply packets from coming in by looking for the response from
>	  the nameservers.
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htm
>
>note that this wont stop the query from reaching verisign, it will just
>stop you from going to that IP. however, for some enforcing network
>privacy concerns, that may be worthwhile.
>
>hope this helps,
>
>___________________________
>jose nazario, ph.d.			jose at monkey.org
>					http://monkey.org/~jose/
>
>  
>

-- 
=======================================
D. Ian Miller                      }8-)
Systems Analyst
Information Technologies
University of Calgary
W: 403.220.8643
M: 403.605.9856






More information about the list mailing list