On 12-07-07 10:13 PM, Jason Duerstock wrote:
As an intellectual exercise, I think this is interesting and worth the effort. As an actual implementation, I think it's more effective to block DNS traffic to the affected subnets. Let the breakage occur, and then let the end users get their broken machines fixed rather than let them continue hobbling along with this hack in place.
Jason Agreed, fixing the problem > patching the problem.
Some other ideas - * Assuming you're running the nameserver under Linux, an iptables rule would remove the need to have all the ip addresses added (iptables -I PREROUTING -t nat -d $badblock/24 -s 0.0.0.0/0 -j DNAT --to your.local.ip.address) * bind should by default accept connections on all interfaces if you don't tell it to bind to anything, unless behaviour has changed in versions more recent than my last bind experience * Having whatever nameserver you use return a single IP address for everything you request, which points you to a single web page that explains how to fix the problem can be good * that single IP address can also run a pop3/imap server that accepts any username/password and dumps the user into a read-only mailbox with a single message saying "fix your infected PC"