those Verisign dickheads
are you going to charge me dickhead? -- Hockney in Usual Suspects
What is happening?
Verisign, the registrar in charge of the
.com toplevel domains, has recently decided to hijack every
available domain and redirect them to their advertising webserver. This
means that if you mistakenly type
www.lniux.com instead of
www.linux.com, you are automatically redirected to Verisign's web
This outrageous behaviour not only means they get free advertisment all
over the Internet, but they can also store browser referer information,
or collect emails sent to mistyped addresses (yes, they get the
@lniux.com email as well).
Learn more about the issue on this /. story.
The dickhead patch for Bind (versions 8.3, 8.4 or 9.2)
This patch adds a "dickheads" directive to list IP addresses that Bind will refuse to answer. Addresses can be added later in case Verisign decides to make their wildcard entry a round-robin. See below for a list of other top-level registrars doing the same.
Download the patch here:
- Bind 9.2 (successfully tested on 9.2.3rc1):
- Bind 8.4 (successfully tested on 18.104.22.168):
- Bind 8.3 (successfully tested on 8.3.3 and 8.3.4):
- 27 Sep 2003: fixed assertion failures in the Bind 9.2.2 patch, thanks to Thomas Ries.
- 19 Sep 2003: ported the patch to Bind 9.2.2, inspiring heavily from Richard Clark's version.
- 19 Sep 2003: added Marcin Owsiany's contributed Bind 8.3.3 patch.
- 18 Sep 2003: compilation fix for BSD, reported by Tony M and Len Sassaman.
- 17 Sep 2003: properly return
NXDOMAINinstead of server failure, thanks to Marc Boucher's excellent contribution.
- 16 Sep 2003: initial version.
How does it work?
Here is a simple example. The current output of the
command looks like this:
Now just add the following in
the appropriate configuration file on your Bind installation:
And here is the expected result:
The following line will appear in the server's logs:
A list of other countermeasures can be found at www.imperialviolet.org.