When Verisign hijacked the wildcard DNS space for .com/.net, they encoded the Evil Bit in the response by putting Sitefinder's IP address as the IP address. In theory you could interpret that as damage and route around it, or at least build ACLs to block any traffic to that IP address except for TCP/80 and TCP/UDP/53. But if random ISPs are going to do that at random locations in their IP address space, and possibly serve their advertising from servers that also have useful information, it's really difficult to block. Does anybody know _which_ protocols Verizon's web-hijacker servers are supporting? Do they at least reject ports 443, 22, 23, etc.? In contrast, Microsoft's IE browser responds to DNS no-domain responses by pointing to a search engine, and I think the last time I used IE it let you pick your own search engine or turn it off if you didn't like MS's default. That's reasonable behaviour for an application, though it's a bit obsequious for my taste.