[ previous ] [ next ] [ threads ]
 From:  "Chad R. Larson" <clarson at eldocomp dot com>
 To:  "awiesmann at swordlord dot org" <awiesmann at swordlord dot org>, "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Block Verisign Wildcard? Was: Re: suggestionson blocking messenger
 Date:  Wed, 15 Oct 2003 13:50:13 -0700
At 05:39 PM 10/15/2003 +0200, Adrian Wiesmann wrote:
>This blocking talk actually brings me to something else: Would it be easy 
>(and a need) to do some DNS Injection on m0n0wall by default for all 
>Verisign Wildchard answers?
>I think about an option which can be enabled/disabled which listens for 
>all DNS traffic and removes/overwrites/replaces answers for verisigns 
>wildchard search page.

There is a cleaner solution, already implemented by the Internet Software 
Consortium (ISC) who maintain the Berkeley Internet Name Daemon (BIND), 
also known as /usr/sbin/named in the FreeBSD world.

They added a new declaration for a nameserver, which makes it a delegate 
only.  That is, they don't accept A records from such a server, only referrals.

Update your named to BIND-9 (in the ports collection) and you're covered.

Check http://www.isc.org/products/BIND/delegation-only.html

Chad R. Larson (CRL22)    chad at eldocomp dot com
Computing, Inc.   602-604-3100
      5353 North 16th Street, Suite 
        Phoenix, Arizona   85016-3228


This message is intended for the sole use of the individual and entity to whom it is addressed, and
may contain information that is privileged, confidential and exempt from disclosure under applicable
law. If you are not the intended addressee, nor authorized to receive for the intended addressee,
you are hereby notified that you may not use, copy, disclose or distribute to anyone the message or
any information contained in the message. If you have received this message in error, please
immediately advise the sender by reply email, and delete the message. Thank you.