|
||||||||
At 05:39 PM 10/15/2003 +0200, Adrian Wiesmann wrote: >This blocking talk actually brings me to something else: Would it be easy >(and a need) to do some DNS Injection on m0n0wall by default for all >Verisign Wildchard answers? > >I think about an option which can be enabled/disabled which listens for >all DNS traffic and removes/overwrites/replaces answers for verisigns >wildchard search page. There is a cleaner solution, already implemented by the Internet Software Consortium (ISC) who maintain the Berkeley Internet Name Daemon (BIND), also known as /usr/sbin/named in the FreeBSD world. They added a new declaration for a nameserver, which makes it a delegate only. That is, they don't accept A records from such a server, only referrals. Update your named to BIND-9 (in the ports collection) and you're covered. Check http://www.isc.org/products/BIND/delegation-only.html -crl -- Chad R. Larson (CRL22) chad at eldocomp dot com Eldorado Computing, Inc. 602-604-3100 5353 North 16th Street, Suite 400 Phoenix, Arizona 85016-3228 -- CONFIDENTIALITY NOTICE -- This message is intended for the sole use of the individual and entity to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended addressee, nor authorized to receive for the intended addressee, you are hereby notified that you may not use, copy, disclose or distribute to anyone the message or any information contained in the message. If you have received this message in error, please immediately advise the sender by reply email, and delete the message. Thank you. |