Blocking Verisign's new wildcard DNS record

6 views
Skip to first unread message

Christopher X. Candreva

unread,
Sep 15, 2003, 5:34:09 PM9/15/03
to
Verisign is now returning a wildcard record for any unregistered .net
domain, with .com soon to follow. This is to redirect all such requests to
their own search site.

Now, the IP they are returning currently is 64.94.110.11. It just occurred
to me, is it possible to configure bind such that any lookup that returns
that IP returns Host not found instead ?

If Verisign is determined to break DNS, perhaps we can break it back ?

--
==========================================================
Chris Candreva -- ch...@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

Sam Pointer

unread,
Sep 16, 2003, 8:05:45 AM9/16/03
to
.com is now live too.

IMHO this is a terrible thing to be doing. What a complete pain in the bum
for troubleshooting. `dig thisisanonexistentdomainname.com` - oh yes,
something returned.

More to the point, dig 11.110.94.64.in-addr.arpa to check for domain name
existence to prevent spam - a reverse mapping now exists so we'll let the
email through. Whoops, there goes out spam filters.

What about email? Let's email blahblahblah.com, what no MX record? Let's
just try direct A record delivery instead then as a last ditch. Mail is sent
to 64.94.110.11! What a complete waste of time, bandwidth and general
effort. Not only that, they have a server listening on this address on port
25! It's a mail rejecter, OK - but seriously, this is so poorly thought-out
and disruptive I don't know where to begin. This is so seriously going to
break mail delivery to secondary MTAs where MX records have been mis-typed
for the primaries. Spam checkers connecting to port 25 of `sendmespam.com`
and getting a 'HELO', oh - that now works too!

If there has been previous discussion on this list about this then I am
sorry that I have missed it. This is going to cause no end of problems.

I cannot believe the stupidity of this.


This email and any attachments are strictly confidential and are intended
solely for the addressee. If you are not the intended recipient you must
not disclose, forward, copy or take any action in reliance on this message
or its attachments. If you have received this email in error please notify
the sender as soon as possible and delete it from your computer systems.
Any views or opinions presented are solely those of the author and do not
necessarily reflect those of HPD Software Limited or its affiliates.

At present the integrity of email across the internet cannot be guaranteed
and messages sent via this medium are potentially at risk. All liability
is excluded to the extent permitted by law for any claims arising as a re-
sult of the use of this medium to transmit information by or to
HPD Software Limited or its affiliates.

Erik Hensema

unread,
Sep 16, 2003, 9:08:30 AM9/16/03
to
[don't know if this is an open list, let's try anyway]

In comp.protocols.dns.bind, you wrote:
> Verisign is now returning a wildcard record for any unregistered .net
> domain, with .com soon to follow. This is to redirect all such requests to
> their own search site.
>
> Now, the IP they are returning currently is 64.94.110.11. It just occurred
> to me, is it possible to configure bind such that any lookup that returns
> that IP returns Host not found instead ?
>
> If Verisign is determined to break DNS, perhaps we can break it back ?

They're not breaking DNS. They're breaking about everything else though:

- anti-spam measures in MTAs -- they often check for the existance of
sender domains

- DNS blacklists used to block spam: the dorkslayers.com DNSBL today has
been dropped from DNS -- except that it isn't. Correct clients will check
if addresses resolve to 127.0.0.x, but some may not.

- the internet is more than just web and email. applications won't give
meaningful errormessages anymore, but just 'connection timed out', or a
similar message. That's right, connection attempts to other ports than 25
and 80 are dropped by 64.94.110.11.

- when using a misspelled MX record for a domain, the risk of getting
bounces is now far higher

- this wildcard record causes caches to grow (? I think -- don't know about
negative caching).

So getting rid of this wildcard record is IMHO critical. Either by verisign
getting some clue, or by patching our DNS servers.

Actually I prefer both. Even if verisign gets some sanity back and they
remove the wildcardrecord tomorrow, we still risk having similar
wildcardrecords in other TLDs.

Therefore I'd very much like to see a patch for bind (8/9) which enables
the administrator to send an error to the clients instead of an A record
for a given list of IPs. Unfortunately I'm not capable of coding such a
patch without substantial studying of the bind sourcecode :-/

Proposed entry in named.conf:

options {
bogus-wildcards { 64.94.110.11; };
bogus-wildcard-response "nxdomain";
};

Quick&Dirty hacks also accepted for now ;-)
--
Erik Hensema (er...@hensema.net)

Guillaume Rischard

unread,
Sep 16, 2003, 4:56:16 AM9/16/03
to
Hello,

Andrew Church has published an untested patch at
http://achurch.org/bind-verisign-patch.html . Here is what he writes:

> BIND 8 patch for Verisign stupidity
>
> This page provides a patch to BIND 8 to ignore the wildcard A record
> Verisign is now returning for unregistered .com/.net domains. It was
> cooked up over 10 minutes of pure anger and has not been properly
> tested; it would be better to be able to specify which IPs to ignore in
> the configuration file. Suggestions or improved patches are very
> much welcomed.
>
> This patch was made against BIND 8.4.1.

Here is the acual patch:

---cut here---

--- src/bin/named/ns_resp.c.old 2003-05-30 20:52:14 +0900
+++ src/bin/named/ns_resp.c 2003-09-16 12:09:30 +0900
@@ -971,6 +971,15 @@
*/
if (i < ancount) {
/* Answer section. */
+ /* HACK to kill Verisign stupidity
+ * --ach...@achurch.org */
+ char IP_TO_KILL[] = {64,94,110,11};
+ if (type == ns_t_a
+ && memcmp(dp->d_data, IP_TO_KILL, 4) == 0
+ ) {
+ validanswer = 0;
+ continue;
+ }
/*
* Check for attempts to overflow the buffer in
* getnameanswer.

---cut here---

Cheers,

Guillaume

"Christopher X. Candreva" <ch...@westnet.com> wrote in message news:<bk5ek8$2vuh$1...@sf1.isc.org>...

Russell Nelson

unread,
Sep 16, 2003, 12:40:51 AM9/16/03
to
"Christopher X. Candreva" <ch...@westnet.com> writes:

> Verisign is now returning a wildcard record for any unregistered .net
> domain, with .com soon to follow. This is to redirect all such requests to
> their own search site.
>
> Now, the IP they are returning currently is 64.94.110.11. It just occurred
> to me, is it possible to configure bind such that any lookup that returns
> that IP returns Host not found instead ?

Here's how I did it for djbdns: http://tinydns.org/djbdns-1.05-ignoreip.patch
Basically, any response with an A RR matching 64.94.110.11 is turned
into an NXDOMAIN.

--
--My blog is at angry-economist.russnelson.com | Free markets express in the
Crynwr sells support for free software | PGPok | practical world our belief
521 Pleasant Valley Rd. | +1 315 268 1925 voice | that there is that of God
Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | in all people. -Chris V.

Andrew Church

unread,
Sep 15, 2003, 11:27:13 PM9/15/03
to
"Christopher X. Candreva" <ch...@westnet.com> wrote in message news:<bk5ek8$2vuh$1...@sf1.isc.org>...
> Verisign is now returning a wildcard record for any unregistered .net
> domain, with .com soon to follow. This is to redirect all such requests to
> their own search site.
>
> Now, the IP they are returning currently is 64.94.110.11. It just occurred
> to me, is it possible to configure bind such that any lookup that returns
> that IP returns Host not found instead ?

I've uploaded a preliminary (as in, it seems to work for me) patch for BIND
8 to my homepage (http://achurch.org/bind-verisign-patch.html). This is a
"poor-man's" patch in the extreme--all it does is skip over any
A/64.94.110.11 answer--but it has given me my "host not found" errors back.

Jim Hatfield

unread,
Sep 16, 2003, 2:14:34 PM9/16/03
to

Next they'll be changing the address every day.

--
Jim Hatfield

Tony Mountifield

unread,
Sep 16, 2003, 3:55:03 PM9/16/03
to
In article <bk5ek8$2vuh$1...@sf1.isc.org>,

Christopher X. Candreva <ch...@westnet.com> wrote:
> Verisign is now returning a wildcard record for any unregistered .net
> domain, with .com soon to follow. This is to redirect all such requests to
> their own search site.
>
> Now, the IP they are returning currently is 64.94.110.11. It just occurred
> to me, is it possible to configure bind such that any lookup that returns
> that IP returns Host not found instead ?

What you want to do, rather than check for that specific address, is to
compare the returned address for whatever.tld with that returned for
*.tld (which of course will be cached for the relevant TTL), and if they
match, return NXDOMAIN.

That way, Verisign can't get round it by changing the address regularly.

Cheers,
Tony
--
Tony Mountifield
Work: to...@softins.co.uk - http://www.softins.co.uk
Play: to...@mountifield.org - http://tony.mountifield.org

Clayton Braun

unread,
Sep 17, 2003, 12:10:41 PM9/17/03
to
gn...@stereo.lu (Guillaume Rischard) wrote in message news:<bk7hdt$1m8q$1...@sf1.isc.org>...

In a previous post (if it makes it here) I suggested another patch
that provides an NXDOMAIN response. DO NOT USE that patch, it does
not return a properly formatted NXDOMAIN response. I would wait for
someone to come out with a cleaner solution, and I'll be working on
one myself.

Clayton Braun

unread,
Sep 17, 2003, 6:18:04 AM9/17/03
to
Here's another version of the patch that returns NXDOMAIN. This
should be applied to version 8.4.1.

--- ns_resp.c.orig Wed Sep 17 03:15:10 2003
+++ ns_resp.c Wed Sep 17 04:54:45 2003
@@ -308,6 +308,7 @@
DST_KEY *key;
int expect_cname;
int pass = 0;
+ int wasCaught = 0;

nameserIncr(from, nssRcvdR);
nsp[0] = NULL;
@@ -971,6 +972,17 @@


*/
if (i < ancount) {
/* Answer section. */
+

+ /* Beginning of anti-Verisign catch */
+ char catchIp[] = { 64, 94, 110, 11 };
+ if (type == ns_t_a && memcmp(dp->d_data,
catchIp, 4) == 0)
+ {
+ db_detach(&dp);
+ wasCaught = 1;
+ break;
+ }
+ /* End of anti-Verisign catch - Golgi Group */


+
/*
* Check for attempts to overflow the buffer
in
* getnameanswer.

@@ -1210,6 +1222,12 @@
return;
}

+ if(wasCaught == 1)
+ {
+ hp->rcode = NXDOMAIN;
+ goto return_msg;
+ }
+
/*
* We might want to cache this negative answer.
*


Good luck,
Clay

gn...@stereo.lu (Guillaume Rischard) wrote in message news:<bk7hdt$1m8q$1...@sf1.isc.org>...

Clayton Braun

unread,
Sep 18, 2003, 12:35:24 AM9/18/03
to
Ok, here's a second attempt at a patch for V8.4.1. This has undergone
some testing, enough that we're putting it into production
temporarily. The troubles we're having from this wildcard stuff
outweigh the risk that this patch may not be kosher. It returns an
NXDOMAIN response to downstream queries for upstream answers that
contained the 64.94.110.11 A record. Obviously this is no good if
that IP address changes. It's not meant to be a long term fix, and I
suggest serious caution and testing before you think of using it
yourself. The intended purpose is to tie us over a few days until an
official v8 patch is released, or Verisign surrenders, etc.

Copy the patch text to a file (assume "patchfile")
untar the 8.4.1 source

bash-2.05# cd src
bash-2.05# patch < patchfile
Looks like a normal diff.
File to patch: bin/named/ns_resp.c
done

310a311
> int wasCaught = 0;
973a975,985


>
> /* Beginning of anti-Verisign catch */

> char catchIp[] = { 64, 94, 110, 11 };

> if (type == ns_t_a && memcmp(dp->d_data, catchIp, 4) == 0)

> {
> db_detach(&dp);
> wasCaught = 1;
> break;


> }
> /* End of anti-Verisign catch - Golgi Group */
>

1223a1236
>
1239a1253,1294
> if(wasCaught == 1)
> {
> count = 0;
> cname = 0;
> founddata = 0;
> dname = name;
> newmsglen = MIN(EDNS_MESSAGE_SZ, msglen);
> memcpy(newmsg, msg, newmsglen);
> hp = (HEADER *) newmsg;
> hp->qdcount = htons(1);
> hp->ancount = htons(0);
> hp->nscount = htons(0);
> hp->arcount = htons(0);
> hp->rcode = NXDOMAIN;
> dnptrs[0] = newmsg;
> dnptrs[1] = NULL;
> cp = newmsg + HFIXEDSZ;
> n = dn_expand(newmsg, newmsg + newmsglen, cp, dname, sizeof name);
> if (n < 0) {
> ns_debug(ns_log_default, 1, "dn_expand failed");
> goto servfail;
> }
> if (!res_dnok(dname)) {
> ns_debug(ns_log_default, 1, "bad name (%s)", dname);
> goto servfail;
> }
> cp += n + QFIXEDSZ;
> buflen = (qp->q_stream != NULL) ? NS_MAXMSG : MIN(EDNS_MESSAGE_SZ, qp->q_udpsize);
> buflen -= (cp - newmsg);
> /*
> * Reserve space for TSIG / EDNS
> */
> if (qp->q_tsig != NULL)
> buflen -= qp->q_tsig->tsig_size;
> if ((qp->q_flags & Q_EDNS) != 0)
> buflen -= 11;
> if (!NS_OPTION_P(OPTION_NONAUTH_NXDOMAIN))
> hp->aa = 1;
> ns_debug(ns_log_default, 3, "resp: NXDOMAIN aa = %d", hp->aa);
> goto return_newmsg;
> }
>
1277a1333
>

Feel free to email me with questions.
Clay

vv...@hotmail.com (Clayton Braun) wrote in message news:<bka2i1$17df$1...@sf1.isc.org>...

Scot W. Hetzel

unread,
Sep 18, 2003, 11:14:52 PM9/18/03
to
I have created a patch that applies to both bind 8.3.6 and bind 8.4.1, that
will return NXDOMAIN for more than just .net and .com domains.

This patch is based on the patches submitted by Braun, and Church. The change
was to use an array of TLDs in which to check if the A record matches an IP
stored in the array..

To use this patch, you need to define which TLDs you want to forbid the use of
wildcard TLDs by adding the appropriate define to CFLAGS.

CFLAGS=-DVERISIGN_TLD -DALL_TLD

- VERISIGN_TLD adds the com and net wildcard TLDs to the list
- ALL_TLD [1] adds the remaining wildcard TLDs to the list, except .museum
NOTE: If you don't want all TLDs enabled, You may enable them individual
grep _TLD ns_resp.c to see all the *_TLD's that can be defined.
- MUSEUM_TLD adds museum TLD to the list

You can add additional wildcard TLDs to the list, by editing ns_resp.c, and
then adding the new wildcard TLD to the ip_to_kil list.

Bugs/TODO:
Doesn't distinguish between TLDs using the same wildcard TLD IP address (.net and .com)
- needs a check to see if query domain contains ip_to_kill[i]->TLD.
Hardcodes the IP addresses of the wildcard TLDs
Unable to add additional TLDs via named.conf

Scot

Index: named.h
===================================================================
RCS file: /home/ncvs/src/contrib/bind/bin/named/named.h,v
retrieving revision 1.1.1.2.2.4
diff -u -r1.1.1.2.2.4 named.h
--- named.h 15 May 2002 19:51:21 -0000 1.1.1.2.2.4
+++ named.h 17 Sep 2003 05:09:05 -0000
@@ -65,3 +65,8 @@

#include "ns_func.h"
#include "db_func.h"
+
+struct ip_to_kill_s {
+ char *TLD;
+ char ip[4];
+};
Index: ns_resp.c
===================================================================
RCS file: /home/ncvs/src/contrib/bind/bin/named/ns_resp.c,v
retrieving revision 1.1.1.2.2.10
diff -u -r1.1.1.2.2.10 ns_resp.c
--- ns_resp.c 25 Aug 2003 21:07:49 -0000 1.1.1.2.2.10
+++ ns_resp.c 19 Sep 2003 01:20:32 -0000
@@ -151,6 +151,126 @@
danglingCname[] = "dangling CNAME pointer",
nonRecursiveForwarder[]= "non-recursive forwarder";

+/* VERISIGN_TLD enables checking for wildcard TLDs in .com and .net zone */
+#ifdef VERISIGN_TLD
+#define NET_TLD
+#define COM_TLD
+#endif
+
+/* ALL_TLD enables checking the remaining wildcard TLDs except .museum */
+#ifdef ALL_TLD
+#define AC_TLD
+#define BIZ_TLD
+#define BZ_TLD
+#define CC_TLD
+#define CN_TLD
+#define CX_TLD
+#define IO_TLD
+#define MP_TLD
+#define NU_TLD
+#define PH_TLD
+#define PW_TLD
+#define SH_TLD
+#define TD_TLD
+#define TK_TLD
+#define TM_TLD
+#define TV_TLD
+#define TW_TLD
+#define US_TLD
+#define WS_TLD
+#endif
+
+/* These TLDs are currenlty not using wildcard TLDs */
+#undef BIZ_TLD
+#undef IO_TLD
+#undef TV_TLD
+#undef US_TLD
+
+struct ip_to_kill_s ip_to_kill[] = {
+ /*
+ * Verisign wildcard TLDs
+ */
+#ifdef NET_TLD
+ {"net", {64,94,110,11} },
+#endif
+#ifdef COM_TLD
+ {"com", {64,94,110,11} },
+#endif
+ /*
+ * Museum wildcard TLD
+ *
+ * Used by .museum to provide an error page with
+ * a link to an index of all .museum domains.
+ */
+#ifdef MUSEUM_TLD
+ {"museum", {195,7,77,20} },
+#endif
+ /*
+ * The rest of the wildcard TLDs
+ */
+#ifdef AC_TLD
+ {"ac", {194,205,62,122} },
+#endif
+#ifdef BIZ_TLD
+ {"biz", {0,0,0,0} },
+#endif
+#ifdef BZ_TLD
+ {"bz", {216,220,34,101} },
+#endif
+#ifdef CC_TLD
+ {"cc", {206,253,214,102} },
+#endif
+#ifdef CN_TLD
+ {"cn", {159,226,7,162} },
+#endif
+#ifdef CX_TLD
+ {"cx", {219,88,106,80} },
+#endif
+#ifdef IO_TLD
+ {"io", {0,0,0,0} },
+#endif
+#ifdef MP_TLD
+ {"mp", {202,128,12,163} },
+#endif
+#ifdef NU_TLD
+ {"nu", {212,181,91,6} },
+ {"nu", {64,55,105,9} },
+#endif
+#ifdef PH_TLD
+ {"ph", {203,119,4,6} },
+#endif
+#ifdef PW_TLD /* uses a wildcard CNAME record to wfb.dnsvr.com */
+ {"pw", {216,98,141,250} },
+ {"pw", {65,125,231,178} },
+#endif
+#ifdef SH_TLD
+ {"sh", {194,205,62,62} },
+#endif
+#ifdef TD_TLD /* uses a wildcard CNAME record to www.nic.td */
+ {"td", {146,101,245,154} },
+#endif
+#ifdef TK_TLD
+ {"tk", {195,20,32,83} },
+ {"tk", {195,20,32,86} },
+#endif
+#ifdef TM_TLD
+ {"tm", {194,205,62,42} },
+#endif
+#ifdef TV_TLD
+ {"tv", {0,0,0,0} },
+#endif
+#ifdef TW_TLD
+ {"tw", {203,73,24,11} },
+#endif
+#ifdef US_TLD
+ {"us", {0,0,0,0} },
+#endif
+#ifdef WS_TLD
+ {"ws", {216,35,187,246} },
+#endif
+ {NULL, {0,0,0,0} }
+};
+
struct db_list {
struct db_list *db_next;
struct databuf *db_dp;
@@ -298,6 +418,7 @@


DST_KEY *key;
int expect_cname;
int pass = 0;
+ int wasCaught = 0;

nameserIncr(from.sin_addr, nssRcvdR);
nsp[0] = NULL;
@@ -955,6 +1076,31 @@
type = dp->d_type;


if (i < ancount) {
/* Answer section. */

+ /* HACK to kill stupidity of Verisign and other TLDs.
+ * -- ach...@achurch.org
+ * -- vv...@hotmail.com
+ * -- hetz...@westbend.net
+ */
+ if (type == ns_t_a ) {
+ struct ip_to_kill_s *v;
+ for (v = ip_to_kill; v->TLD && (validanswer != 0); v++) {
+ if (memcmp(dp->d_data, v->ip, 4) == 0) {
+ ns_info(ns_log_resp_checks,
+ "bad referral (%s wild card) (%s !< %s) from %s",
+ v->TLD,
+ name[0] ? name : ".",
+ qp->q_domain[0] ?
+ qp->q_domain : ".",
+ sin_ntoa(from));


+
+ db_detach(&dp);
+ wasCaught = 1;
+ break;
+ }
+ }

+ if (wasCaught == 1)
+ break;


+ }
/*
* Check for attempts to overflow the buffer in
* getnameanswer.

@@ -1213,6 +1359,47 @@
"resp: leaving NO: auth = %d", hp->aa);
goto return_msg;
}
+ }
+
+ if (wasCaught == 1) {
+ count = 0;
+ cname = 0;
+ founddata = 0;
+ dname = name;
+ newmsglen = MIN(EDNS_MESSAGE_SZ, msglen);
+ memcpy(newmsg, msg, newmsglen);
+ hp = (HEADER *) newmsg;
+ hp->qdcount = htons(1);
+ hp->ancount = htons(0);
+ hp->nscount = htons(0);
+ hp->arcount = htons(0);


+ hp->rcode = NXDOMAIN;

+ dnptrs[0] = newmsg;
+ dnptrs[1] = NULL;
+ cp = newmsg + HFIXEDSZ;
+ n = dn_expand(newmsg, newmsg + newmsglen, cp, dname, sizeof name);
+ if (n < 0) {
+ ns_debug(ns_log_default, 1, "dn_expand failed");
+ goto servfail;
+ }
+ if (!res_dnok(dname)) {
+ ns_debug(ns_log_default, 1, "bad name (%s)", dname);
+ goto servfail;
+ }
+ cp += n + QFIXEDSZ;
+ buflen = (qp->q_stream != NULL) ? NS_MAXMSG : MIN(EDNS_MESSAGE_SZ, qp->q_udpsize);
+ buflen -= (cp - newmsg);
+ /*
+ * Reserve space for TSIG / EDNS
+ */
+ if (qp->q_tsig != NULL)
+ buflen -= qp->q_tsig->tsig_size;
+ if ((qp->q_flags & Q_EDNS) != 0)
+ buflen -= 11;
+ if (!NS_OPTION_P(OPTION_NONAUTH_NXDOMAIN))
+ hp->aa = 1;
+ ns_debug(ns_log_default, 3, "resp: NXDOMAIN aa = %d", hp->aa);
+ goto return_newmsg;
}

/*

Reply all
Reply to author
Forward
0 new messages