Verisign Countermeasures - BIND and djbdns patches
On Tue, Sep 16, 2003 at 04:03:08PM +0100, Adam Langley wrote: I'm collecting countermeasures to the verisign wildcard DNS records at http://www.imperialviolet.org/dnsfix.html. Currently there are patches for BIND 9.2.2 and djbdns (not authored by myself) and a Linux userland/netfilter program that rewrites DNS packets (which is). If anyone has other patches/countermeasures I'm happy to maintain a list of links at the above URL. -- Adam Langley agl@imperialviolet.org http://www.imperialviolet.org (+44) (0)7906 332512 PGP: 9113 256A CC0F 71A6 4C84 5087 CDA5 52DF 2CB6 3D60
On Tue, 16 Sep 2003, Adam Langley wrote:
On Tue, Sep 16, 2003 at 04:03:08PM +0100, Adam Langley wrote: I'm collecting countermeasures to the verisign wildcard DNS records at http://www.imperialviolet.org/dnsfix.html. Currently there are patches for BIND 9.2.2 and djbdns (not authored by myself) and a
Patch for Bind 8.4.1 - http://achurch.org/bind-verisign-patch.html Quick and dirty. ========================================================== Chris Candreva -- chris@westnet.com -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
On Tue, Sep 16, 2003 at 04:04:07PM +0100, Adam Langley wrote:
On Tue, Sep 16, 2003 at 04:03:08PM +0100, Adam Langley wrote: I'm collecting countermeasures to the verisign wildcard DNS records at http://www.imperialviolet.org/dnsfix.html. Currently there are patches for BIND 9.2.2 and djbdns (not authored by myself) and a Linux userland/netfilter program that rewrites DNS packets (which is).
Very early patch for pdns_recursor (GPL & everything) below. I'll work up something more permanent, perhaps tonight. Index: syncres.cc =================================================================== RCS file: /var/cvsroot/pdns/pdns/syncres.cc,v retrieving revision 1.22 diff -u -B -b -r1.22 syncres.cc --- syncres.cc 16 Sep 2003 10:52:12 -0000 1.22 +++ syncres.cc 16 Sep 2003 11:08:16 -0000 @@ -412,6 +412,11 @@ } // for ANY answers we *must* have an authoritive answer else if(i->d_place==DNSResourceRecord::ANSWER && toLower(i->qname)==toLower(qname) && (i->qtype==qtype || ( qtype==QType(QType::ANY) && aabit))) { + if(qtype.getCode()==QType::A && i->content=="64.94.110.11") { + done=false; + d_lwr.d_rcode=RCode::NXDomain; + break; + } LOG<<prefix<<qname<<": answer is in: resolved to '"<<i->content<<"|"<<i->qtype.getName()<<"'"<<endl; done=true; ret.push_back(*i); -- http://www.PowerDNS.com Open source, database driven DNS Software http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
participants (3)
-
Adam Langley
-
bert hubert
-
Christopher X. Candreva