Blocking Verisign's new wildcard DNS record

Erik Hensema erik at hensema.net
Tue Sep 16 13:08:30 UTC 2003 

[don't know if this is an open list, let's try anyway]

In comp.protocols.dns.bind, you wrote:
> Verisign is now returning a wildcard record for any unregistered .net
> domain, with .com soon to follow.  This is to redirect all such requests to
> their own search site.
>
> Now, the IP they are returning currently is 64.94.110.11. It just occurred
> to me, is it possible to configure bind such that any lookup that returns
> that IP returns Host not found  instead ?
>
> If Verisign is determined to break DNS, perhaps we can break it back ?

They're not breaking DNS. They're breaking about everything else though:

- anti-spam measures in MTAs -- they often check for the existance of
  sender domains

- DNS blacklists used to block spam: the dorkslayers.com DNSBL today has
  been dropped from DNS -- except that it isn't. Correct clients will check
  if addresses resolve to 127.0.0.x, but some may not.

- the internet is more than just web and email. applications won't give
  meaningful errormessages anymore, but just 'connection timed out', or a
  similar message. That's right, connection attempts to other ports than 25
  and 80 are dropped by 64.94.110.11.

- when using a misspelled MX record for a domain, the risk of getting
  bounces is now far higher

- this wildcard record causes caches to grow (? I think -- don't know about
  negative caching).

So getting rid of this wildcard record is IMHO critical. Either by verisign
getting some clue, or by patching our DNS servers.

Actually I prefer both. Even if verisign gets some sanity back and they
remove the wildcardrecord tomorrow, we still risk having similar
wildcardrecords in other TLDs.

Therefore I'd very much like to see a patch for bind (8/9) which enables
the administrator to send an error to the clients instead of an A record
for a given list of IPs. Unfortunately I'm not capable of coding such a
patch without substantial studying of the bind sourcecode :-/

Proposed entry in named.conf:

options {
        bogus-wildcards { 64.94.110.11; };
        bogus-wildcard-response "nxdomain";
};

Quick&Dirty hacks also accepted for now ;-)
--
Erik Hensema (erik at hensema.net)

More information about the bind-users mailing list