Blocking SiteFinder Service

apankrat writes "Given VeriSign's position on wildcard redirection service, it looks like it's time for a simplier and more efficient ways of bringing things back to where they were. For those running BIND there is a patch; for those on the client side - there is a dnsfix for Windows and the usual iptables hackery under Linux. Aware of any other clean and easy ways to block wildcarding ? Post below."

dnsmasq has a fix

[hummassa]

here.
version 1.16 is ok.
others have fixes, too, you can find them in this place.

hope I have helped,

I agree!

[orthogonal]

it looks like it's time for a simplier and more efficient ways

And it looks like it's time for a simplier and more efficient way to spell-check submitted articles.

As just one customer...

[lightspawn]

how do I go about explaining to my ISP that this needs to be blocked?

Re:As just one customer...

[CptChipJew]

Call customer service. I'm sure they can direct you to a feedback voice mailbox that they'll never listen to ;)

This is working for me in my Firewall

[southern]

I added this to my FORWARD rule on the Firewall:

iptables -A blocked_sites -p TCP -d 64.94.110.11 -j REJECT --reject-with icmp-host-unreachable

Will be doing the DNS patch soon. But this works for now.

Block it?

[MarkusQ]

Block it? I'm looking for clever ways to jape it! I mean, it seems reasonable to assume they will be mining the data at some point...

-- MarkusQ

or just add a line to etc hosts

[coyote4til7]

The way I've dealt with it under both XP & OS X is to modify etc/hosts.

Under OS X, Solaris, Linux, etc., it's "/etc/hosts". Under Windows XP, it's "C:\Windows\system32\drivers\etc\hosts"

In either case, add this to the end of the file:
0.0.0.0 sitefinder.verisign.com

Wah-lah!

do NOT blackhole/block 64.94.110.11!

[graf0z]

... because then mails to mistyped domains will end up waiting in MTA-queues instead of being bounced immediately (some other protocols may have weird behaviour, too). Instead:

• Read this and this before you panic
• ask your ISP for patching bind (or whatever ns-software they use)
• install a patched bind (djbdns, ...) locally as a caching dns
• if you have no chance of using a patched nameserver (why that?), you may reject (not: drop) 64.94.110.11:80/tcp only and install one of those patches to your MTA (postfix, sendmail, ...)
• if you are customer of verisign, ask them for suspending their new "service"

/graf0z.

mail rejector switched to postfix

[graf0z]

Verisign switched from their buggy, not SMTP-compliant mailrejector "Snubby Mail Rejector Daemon v1.3" on 64.94.110.11 towards postfix (according to the banner)?

$ telnet oauwnxtrgqoiezrfgnxocrzq.net 25
Trying 64.94.110.11...
Connected to oauwnxtrgqoiezrfgnxocrzq.net.
Escape character is '^]'.
220 sitefinder.verisign.com VeriSign mail rejector (Postfix)

At least, they are now able to bounce properly ...

/graf0z.

Re:Evil, evil, evil

[graf0z]

The only concern I have with ISC's fix to BIND is that they just filter for that one IP address (64.94.110.11)... all Verisign has to do is change the IP in their wildcard A-record and we'll be back to square one.

wrong

You are talking about one of those on-the-fly patches released by some pissed-of admin on the same day. The ISC-patch allows you to say "the following zone are only allowed to have delegations" (like NS-records), all other data (like A-records) are ignored. That's exactly the behaviour You expect from a TLD.

Of course verisign could get around that (by putting a windcard NS-record into their TLDs), but that would be really offensive. Let's see if they will go that far ...

/graf0z.

djbdns (dnscache) patch

[asackett]

Here is a site linking to a patch for dnscache users. I'd prefer a hack along the lines of what [groan] ISC has implemented, but if verislime were to delegate and then spoof, ISC's hack would stop working, while the dnscache patch would simply require a bit of administwiddling and then keep right on working.

Patch 'em up and move 'em out...

Block via Squid

[fallacy]

Which should mean that mail etc. will be unaffected.

acl verisign dst 64.94.110.11
http_access deny verisign

ipfw

[mapinguari]

For those of us with ipfw:

ipfw add reject ip from any to 64.94.110.11

That turns expected 404's into 503's.

I was told "Register mis-spelled variants" !

[2ears]

Interesting discussion tonight with Verisign/Network solution supprot line (Worldwide: +1-703-742-0914 then 2 then 7). I was complaining that while trying to reach my own mydomain.com (true name replaced here) I did a mistake and was drag to sitefinder.verisign.com and that i didn'' agree with that. The man then went straight to tell me that I should buy misplling variants of my domain name !!! I couldn't believe my ears ! I regret I hadn't a lawer to record the conversation ... The man just agreed finaly it was not possible to buy all possible mistyppings in all languages keyboards lay-outs. After a few minutes of exchanges (the total communication lasted for 12 minutes) the man finally failed to understand that I just wanted my IP to be excluded from siteFinder system, which I was telling him from the begining. Anymay, he then asked if I was the owner of the mis-typed name and I had to admit I was not. His point was that since I was not the owner of the mis-typed domain I had no right on it. True. Now I reversed the charge and asked him if Verisign was the owner of the mis-typed domain and he was forced to admit that the answer was "no". As we reached a dead end by this way we finally courtesy closed the conversation that is very interesting in my point of view. The summary of this conversation is that : - Network Solution is actively trying to use sitefinder mess to sell mis-typed domains, which may be reprehensive in some way (I am not a lawer, but if you bring somebody to some place against his will in order to solicitate him to buy something it may be illegal) ; - Verisign must admit that it doesn't own the mis-typed domains. I don't know if there is an implication of that, through.