about me






those Verisign dickheads

are you going to charge me dickhead? -- Hockney in Usual Suspects

What is happening?

Verisign, the registrar in charge of the .net and .com toplevel domains, has recently decided to hijack every available domain and redirect them to their advertising webserver. This means that if you mistakenly type www.lniux.com instead of www.linux.com, you are automatically redirected to Verisign's web site.

This outrageous behaviour not only means they get free advertisment all over the Internet, but they can also store browser referer information, or collect emails sent to mistyped addresses (yes, they get the @lniux.com email as well).

Learn more about the issue on this /. story.

The dickhead patch for Bind (versions 8.3, 8.4 or 9.2)

This patch adds a "dickheads" directive to list IP addresses that Bind will refuse to answer. Addresses can be added later in case Verisign decides to make their wildcard entry a round-robin. See below for a list of other top-level registrars doing the same.

Download the patch here:


How does it work?

Here is a simple example. The current output of the host command looks like this:

sam@c18 ~% host verisign-are-a-bunch-of-dickheads.com
verisign-are-a-bunch-of-dickheads.com   A
sam@c18 ~%

Now just add the following in /etc/bind/named.conf.options or the appropriate configuration file on your Bind installation:

dickheads {; // the Verisign dickheads: .COM and .NET
   /* Taken from Adam Langley's excellent page on the subject: */;; // .NU;; // .TK; // .CC; // .MP; // .AC;; // .CC; // .CX; // .MUSEUM; // .PH; // .SH; // .TM; // .WS

And here is the expected result:

sam@c18 ~% host verisign-are-a-bunch-of-dickheads.com
verisign-are-a-bunch-of-dickheads.com does not exist, try again
sam@c18 ~%

The following line will appear in the server's logs:

req: nlookup(verisign-are-a-bunch-of-dickheads.com) id 14748 type=1 class=1
refused dickhead answer ''


A list of other countermeasures can be found at www.imperialviolet.org.