about me
homepage
blog
gpg, pgp
CV (french)
CV (english)
projects
Debian
VideoLAN
FLESSD
Elk Scheme
libcaca
zzuf
genethumb.sh
PWNtcha
MonsterZ
LMOS
more...
MPEG & DVD
DVD subtitles
MPEG-4 lecture
DeCSS distribution*
doc
SVN & CVS
gprof & pthreads
Debian project lecture
shorter version
Verisign dickheads
doubleclick filter
WTFPL
leisure
artwork
photos
music
DTC logos
porn
goatse
La Classe américaine
#LinuxFr fortunes*
links

those Verisign dickheads

are you going to charge me dickhead? -- Hockney in Usual Suspects

What is happening?

Verisign, the registrar in charge of the .net and .com toplevel domains, has recently decided to hijack every available domain and redirect them to their advertising webserver. This means that if you mistakenly type www.lniux.com instead of www.linux.com, you are automatically redirected to Verisign's web site.

This outrageous behaviour not only means they get free advertisment all over the Internet, but they can also store browser referer information, or collect emails sent to mistyped addresses (yes, they get the @lniux.com email as well).

Learn more about the issue on this /. story.

The dickhead patch for Bind (versions 8.3, 8.4 or 9.2)

This patch adds a "dickheads" directive to list IP addresses that Bind will refuse to answer. Addresses can be added later in case Verisign decides to make their wildcard entry a round-robin. See below for a list of other top-level registrars doing the same.

Download the patch here:

Bind 9.2 (successfully tested on 9.2.3rc1): patch-bind-9.2.2-dickhead.diff.
Bind 8.4 (successfully tested on 8.4.1.0): patch-bind-8.4.1.0-dickhead.diff.
Bind 8.3 (successfully tested on 8.3.3 and 8.3.4): patch-bind-8.3.3-dickhead.diff.

Changelog:

27 Sep 2003: fixed assertion failures in the Bind 9.2.2 patch, thanks to Thomas Ries.
19 Sep 2003: ported the patch to Bind 9.2.2, inspiring heavily from Richard Clark's version.
19 Sep 2003: added Marcin Owsiany's contributed Bind 8.3.3 patch.
18 Sep 2003: compilation fix for BSD, reported by Tony M and Len Sassaman.
17 Sep 2003: properly return NXDOMAIN instead of server failure, thanks to Marc Boucher's excellent contribution.
16 Sep 2003: initial version.

How does it work?

Here is a simple example. The current output of the host command looks like this:

sam@c18 ~% host verisign-are-a-bunch-of-dickheads.com
      
verisign-are-a-bunch-of-dickheads.com   A       64.94.110.11
      
sam@c18 ~%

Now just add the following in /etc/bind/named.conf.options or the appropriate configuration file on your Bind installation:

dickheads {
      
   64.94.110.11; // the Verisign dickheads: .COM and .NET
      
   /* Taken from Adam Langley's excellent page on the subject: */
      
   64.55.105.9; 212.181.91.6; // .NU
      
   195.20.32.83; 195.20.32.86; // .TK
      
   206.253.214.102; // .CC
      
   202.128.12.163; // .MP
      
   194.205.62.122; // .AC
      
   194.205.62.122; 206.253.214.102; // .CC
      
   219.88.106.80; // .CX
      
   195.7.77.20; // .MUSEUM
      
   203.119.4.6; // .PH
      
   194.205.62.62; // .SH
      
   194.205.62.42; // .TM
      
   216.35.187.246; // .WS
      
}

And here is the expected result:

sam@c18 ~% host verisign-are-a-bunch-of-dickheads.com
      
verisign-are-a-bunch-of-dickheads.com does not exist, try again
      
sam@c18 ~%

The following line will appear in the server's logs:

req: nlookup(verisign-are-a-bunch-of-dickheads.com) id 14748 type=1 class=1
      
 (...)
      
refused dickhead answer '64.94.110.11'

Links

A list of other countermeasures can be found at www.imperialviolet.org.