Starting in Bind 9.2.2P1, there is a new type of zone called delegation-only. It’s designed to counter wild-card records in TLD‘s, such as *.com. This is sometimes called the “Verisign patch” because, while Verisign was not the first TLD operator to create such a wild-card record, their creation of *.com and the SiteFinder service are what prompted ISC to add this new feature to the Bind name server.
what this means is that a site with a wildcard inti can be effectively shutdown.
you add something like the following to named.conf
zone "." { type delegation-only; }; zone "ac" { type delegation-only; }; zone "cc" { type delegation-only; }; zone "com" { type delegation-only; }; zone "cx" { type delegation-only; }; zone "mp" { type delegation-only; }; zone "museum" { type delegation-only; }; zone "net" { type delegation-only; }; zone "nu" { type delegation-only; }; zone "ph" { type delegation-only; }; zone "pw" { type delegation-only; }; zone "sh" { type delegation-only; }; zone "td" { type delegation-only; }; zone "tk" { type delegation-only; }; zone "tm" { type delegation-only; }; zone "ws" { type delegation-only; };
before – a random lookup for a non existent host.domain provides a legitimate IP address when it should have been NXDOMAIN
$ dig wwpfowerewrewr234dsew-0.sitefinder.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc15 <<>> wwpfowerewrewr234dsew-0.sitefinder.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER< ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;wwpfowerewrewr234dsew-0.sitefinder.com. IN A ;; ANSWER SECTION: wwpfowerewrewr234dsew-0.sitefinder.com. 3600 IN A 208.73.210.29 ;; AUTHORITY SECTION: sitefinder.com. 172791 IN NS ns2.dsredirection.com. sitefinder.com. 172791 IN NS ns1.dsredirection.com. ;; ADDITIONAL SECTION: ns1.dsredirection.com. 172791 IN A 204.13.160.145 ns2.dsredirection.com. 172791 IN A 204.13.161.145 ;; Query time: 1088 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Apr 6 23:52:54 2012 ;; MSG SIZE rcvd: 154
After – the same query returns NXDOMAIN
$ dig wwpfowerewrewr234dsew-0.sitefinder.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.2.rc1.fc15 <<>> wwpfowerewrewr234dsew-0.sitefinder.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56632 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;wwpfowerewrewr234dsew-0.sitefinder.com. IN A ;; Query time: 1768 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Apr 6 23:5
As a test, I also added
zone "sitefinder.com" { type delegation-only; };
This effectively black-holes the sitefinder.com domain.