Subject: Re: DNS Blacklist feature
To: None <darcy@NetBSD.org>
From: M Graff <explorer@flame.org>
List: tech-kern
Date: 11/07/2007 10:45:17
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

D'Arcy J.M. Cain wrote:
> How do we feel about a mod to the resolver library to implement a DNS
> blacklist?  Verizon and others are starting to resurrect sitefinder on
> a local basis.  It occurs to me that one self-defense mechanism would
> be the ability to add a line to /etc/resolv.conf that declares certain
> IP addresses as evil^H^H^H^Hinaccurate and treat responses with those
> addresses as returning NXDOMAIN.  This would allow users behind those
> hijacking DNS servers to identify and redirect the redirection.

I don't know how I feel about DNS blacklists, but I do feel it should
not go in /etc/resolv.conf.  That file is sort of "owned" by dhclient
when I use it, and it's hard to change major parts of it.

Also, I might want to subscribe to a published "ISPs suck" DNS server
blacklist, so perhaps I'd use wget, rsync, etc. to fetch daily copies
from a trusted source.

- --Michael


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHMeuduzMQWQwZDN0RAlAsAKCWT373i+njrUr4IJPG9seFalBROQCgkQqO
JVnKD1wouKoeRDmbl19/Ekw=
=ynYN
-----END PGP SIGNATURE-----