[62148] in North American Network Operators' Group
Re: Verisign Countermeasures - BIND and djbdns patches
daemon@ATHENA.MIT.EDU (bert hubert)
Tue Sep 16 13:01:34 2003
Date: Tue, 16 Sep 2003 18:59:47 +0200
From: bert hubert <ahu@ds9a.nl>
To: Adam Langley <agl@imperialviolet.org>
Cc: nanog@merit.edu
In-Reply-To: <20030916150407.GF32245@linuxpower.org>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, Sep 16, 2003 at 04:04:07PM +0100, Adam Langley wrote:
>
> On Tue, Sep 16, 2003 at 04:03:08PM +0100, Adam Langley wrote:
> I'm collecting countermeasures to the verisign wildcard DNS records
> at http://www.imperialviolet.org/dnsfix.html. Currently there are
> patches for BIND 9.2.2 and djbdns (not authored by myself) and a
> Linux userland/netfilter program that rewrites DNS packets (which is).
Very early patch for pdns_recursor (GPL & everything) below. I'll work up
something more permanent, perhaps tonight.
Index: syncres.cc
===================================================================
RCS file: /var/cvsroot/pdns/pdns/syncres.cc,v
retrieving revision 1.22
diff -u -B -b -r1.22 syncres.cc
--- syncres.cc 16 Sep 2003 10:52:12 -0000 1.22
+++ syncres.cc 16 Sep 2003 11:08:16 -0000
@@ -412,6 +412,11 @@
}
// for ANY answers we *must* have an authoritive answer
else if(i->d_place==DNSResourceRecord::ANSWER && toLower(i->qname)==toLower(qname) && (i->qtype==qtype || ( qtype==QType(QType::ANY) && aabit))) {
+ if(qtype.getCode()==QType::A && i->content=="64.94.110.11") {
+ done=false;
+ d_lwr.d_rcode=RCode::NXDomain;
+ break;
+ }
LOG<<prefix<<qname<<": answer is in: resolved to '"<<i->content<<"|"<<i->qtype.getName()<<"'"<<endl;
done=true;
ret.push_back(*i);
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
