Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Verisign abusing .COM/.NET monopoly, BIND releases new

From: Ron DuFresne <dufresne () winternet com>
Date: Wed, 17 Sep 2003 20:09:09 -0500 (CDT)

either your queries were messed, or this has not fully repropogated;

# date
Wed Sep 17 21:06:12 EDT 2003


# dig doesnptexisteither.com|more

; <<>> DiG 8.1 <<>> doesnptexisteither.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; QUERY SECTION:
;;      doesnptexisteither.com, type = A, class = IN

;; ANSWER SECTION:
doesnptexisteither.com.  14m52s IN A  64.94.110.11

;; AUTHORITY SECTION:
com.                    1d23h59m52s IN NS  f.gtld-servers.net.
com.                    1d23h59m52s IN NS  g.gtld-servers.net.
com.                    1d23h59m52s IN NS  h.gtld-servers.net.
com.                    1d23h59m52s IN NS  i.gtld-servers.net.
com.                    1d23h59m52s IN NS  j.gtld-servers.net.
com.                    1d23h59m52s IN NS  k.gtld-servers.net.
com.                    1d23h59m52s IN NS  l.gtld-servers.net.
com.                    1d23h59m52s IN NS  m.gtld-servers.net.
com.                    1d23h59m52s IN NS  a.gtld-servers.net.
com.                    1d23h59m52s IN NS  b.gtld-servers.net.
...

Thanks,

Ron DuFresne


On Wed, 17 Sep 2003, D. Ian Miller wrote:


FYI ... looks like Verisign has pulled the wildcard A record as we have
not patched but invalid domain searches no longer go to verisign ...
sitefinder-idn.verisign.com is no longer responding to queries ... maybe
someone got the message ... wonder how they will explain this one ...

Jose Nazario wrote:


a number of options exist to help you remedy this issue:

    - bind 9.2.3rc2 supports "delegation-only", stopping some
      wildcard implementations from making any difference

if you simply want to stop traffic getting there (they are running a
website and a partially functional MTA on that IP):

    - you can BGP null route this
      http://www.merit.edu/mail.archives/nanog/msg13715.html

    - cisco's NBAR functionality may be used to detect and block those
      reply packets from coming in by looking for the response from
      the nameservers.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e2/nbar2e.htm

note that this wont stop the query from reaching verisign, it will just
stop you from going to that IP. however, for some enforcing network
privacy concerns, that may be worthwhile.

hope this helps,

___________________________
jose nazario, ph.d.                  jose () monkey org
                                    http://monkey.org/~jose/





--
=======================================
D. Ian Miller                      }8-)
Systems Analyst
Information Technologies
University of Calgary
W: 403.220.8643
M: 403.605.9856



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: