Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Internet Your Rights Online

Blocking SiteFinder Service 38

apankrat writes "Given VeriSign's position on wildcard redirection service, it looks like it's time for a simplier and more efficient ways of bringing things back to where they were. For those running BIND there is a patch; for those on the client side - there is a dnsfix for Windows and the usual iptables hackery under Linux. Aware of any other clean and easy ways to block wildcarding ? Post below."
This discussion has been archived. No new comments can be posted.

Blocking SiteFinder Service

Comments Filter:
  • I blocked the sitefinder with PF on my firewall. Not very elegant but it worked. Wildcard domains still resolve, but I don't get that stupid sitefinder thing anymore.

    I will be doing the BIND patch later when I have more time.

    ps: go vote at the new site as the petitiononline site was killed by the previous /.ing: http://www.whois.sc/verisign-dns/
    • In theory you're blocking packets to Verisign to prevent them from getting advertising revenue from you or your customers if you're a provider. While you do this with good intentions, your actions actually create more serious problems. What this actually does is cause mail to pile up in your mail queue. The domains still resolve to 64.94.110.11 and your MTA still tries to send mail to that address. If you REJECT the packets your MTA will queue the message and retry. If you DROP the MTA will have to wai
  • dnsmasq has a fix (Score:5, Informative)

    by hummassa ( 157160 ) on Wednesday September 24, 2003 @01:14PM (#7046615) Homepage Journal
    here [thekelleys.org.uk].
    version 1.16 is ok.
    others have fixes, too, you can find them in this place [imperialviolet.org].

    hope I have helped,
  • I agree! (Score:3, Funny)

    by orthogonal ( 588627 ) on Wednesday September 24, 2003 @01:15PM (#7046639) Journal
    it looks like it's time for a simplier and more efficient ways

    And it looks like it's time for a simplier and more efficient way to spell-check submitted articles.
  • by lightspawn ( 155347 ) on Wednesday September 24, 2003 @01:16PM (#7046651) Homepage
    how do I go about explaining to my ISP that this needs to be blocked?
    • Call customer service. I'm sure they can direct you to a feedback voice mailbox that they'll never listen to ;)
    • Hmmm, setup your own DNS server? I know that BIND 8 had releases and builds for Win32, I haven't played with DNS on Win32 since BIND 9 came out. If you are run anything that even approximates a UNIX-like OS, BIND should run on it without problems. I have a Cox Cable modem, and there DNS servers used to be pathetic, so I just setup my own caching only nameserver, and have never been happier about it.

      Thanks,

      Kirby

      • Setting up my own DNS server would only solve the problem for me, not for other Cox Cable customers.
        • Yeah, but in the end, I'm really only worried about getting it fixed for me. I figure they know about it, and they will solve it if they want to (I fixed my own DNS a year ago, just because Cox's DNS was constantly giving me problems)... :-)

          I see your point. Call their support line, e-mail their abuse, or customer support address. Switch up providers if you can, saying that one of the reasons is you don't appreciate them not being receptive to solving this problem for their customers.

          Kirby

  • by southern ( 22565 ) on Wednesday September 24, 2003 @01:18PM (#7046678) Homepage
    I added this to my FORWARD rule on the Firewall:

    iptables -A blocked_sites -p TCP -d 64.94.110.11 -j REJECT --reject-with icmp-host-unreachable

    Will be doing the DNS patch soon. But this works for now.
    • ipfw (Score:2, Informative)

      by mapinguari ( 110030 )
      For those of us with ipfw:
      ipfw add reject ip from any to 64.94.110.11
      That turns expected 404's into 503's.
  • Block it? (Score:3, Funny)

    by MarkusQ ( 450076 ) on Wednesday September 24, 2003 @01:28PM (#7046832) Journal
    Block it? I'm looking for clever ways to jape [die.net] it! I mean, it seems reasonable to assume they will be mining the data at some point...

    -- MarkusQ

  • by coyote4til7 ( 189857 ) on Wednesday September 24, 2003 @01:33PM (#7046897) Homepage
    The way I've dealt with it under both XP & OS X is to modify etc/hosts.

    Under OS X, Solaris, Linux, etc., it's "/etc/hosts". Under Windows XP, it's "C:\Windows\system32\drivers\etc\hosts"

    In either case, add this to the end of the file:
    0.0.0.0 sitefinder.verisign.com

    Wah-lah!
  • by graf0z ( 464763 ) on Wednesday September 24, 2003 @02:00PM (#7047207)
    ... because then mails to mistyped domains will end up waiting in MTA-queues instead of being bounced immediately (some other protocols may have weird behaviour, too). Instead:
    • Read this [boulder.co.us] and this [iab.org] before you panic
    • ask your ISP for patching bind (or whatever ns-software they use)
    • install a patched bind (djbdns, ...) locally as a caching dns
    • if you have no chance of using a patched nameserver (why that?), you may reject (not: drop) 64.94.110.11:80/tcp only and install one of those patches to your MTA (postfix, sendmail, ...)
    • if you are customer of verisign, ask them for suspending their new "service"
    /graf0z.
    • by Anonymous Coward
      Err .. blocking is not exactly what BIND patch and dnsfix do. They actually let DNS packets through, but mangle them in transition, which makes it look as if there were no SiteFinder at the backend .. just a regular DNS server, which all my spam filters like so much :)
  • Verisign switched from their buggy, not SMTP-compliant mailrejector "Snubby Mail Rejector Daemon v1.3" on 64.94.110.11 towards postfix (according to the banner)?

    $ telnet oauwnxtrgqoiezrfgnxocrzq.net 25
    Trying 64.94.110.11...
    Connected to oauwnxtrgqoiezrfgnxocrzq.net.
    Escape character is '^]'.
    220 sitefinder.verisign.com VeriSign mail rejector (Postfix)

    At least, they are now able to bounce properly ...

    /graf0z.
  • Boy, that article really sticks it to Verisign. What the fuck were they thinking? You don't go and mess with a fundamental error behavior in something as critical as DNS. I've heard of corporate greed, but this is just unacceptible.

    The only concern I have with ISC's fix to BIND is that they just filter for that one IP address (64.94.110.11)... all Verisign has to do is change the IP in their wildcard A-record and we'll be back to square one.

    I hope more people bring lawsuits against Verisign and that Veris
    • by graf0z ( 464763 ) on Wednesday September 24, 2003 @02:45PM (#7047707)
      The only concern I have with ISC's fix to BIND is that they just filter for that one IP address (64.94.110.11)... all Verisign has to do is change the IP in their wildcard A-record and we'll be back to square one.

      wrong

      You are talking about one of those on-the-fly patches released by some pissed-of admin on the same day. The ISC-patch allows you to say "the following zone are only allowed to have delegations" (like NS-records), all other data (like A-records) are ignored. That's exactly the behaviour You expect from a TLD.

      Of course verisign could get around that (by putting a windcard NS-record into their TLDs), but that would be really offensive. Let's see if they will go that far ...

      /graf0z.

    • Ignoring the technical error (IP vs. delegation), which has already been addressed, I'll skip to
      "I hope more people bring lawsuits against Verisign"

      Boycott google.

      Yup, you heard what I said - boycott google.

      Why? Because then google might do their best to sit on this new "getting people to the right web-pages" service over which they used to probably have the de-facto monopoly.

      Google are a business, they're in it for profit, and they're big. Make verisign hurt them, see them lash back.

      YAW.
    • They've already changed it, or so it appears to me... NOW when I ping sitefinder.verisign.com I get 12.158.80.10.

      Bastards.

  • by asackett ( 161377 ) on Wednesday September 24, 2003 @04:28PM (#7048904) Homepage
    Here [tinydns.org] is a site linking to a patch for dnscache users. I'd prefer a hack along the lines of what [groan] ISC has implemented, but if verislime were to delegate and then spoof, ISC's hack would stop working, while the dnscache patch would simply require a bit of administwiddling and then keep right on working.

    Patch 'em up and move 'em out...

  • Block via Squid (Score:3, Informative)

    by fallacy ( 302261 ) on Wednesday September 24, 2003 @05:52PM (#7049731)
    Which should mean that mail etc. will be unaffected.

    acl verisign dst 64.94.110.11
    http_access deny verisign
  • i am totaly against this site finder &#@*&# here is what i did.. i added a static route for ip 12.158.80.10 with my PC IP address as the gateway. this will simply create a timeout when ever your pc tries to access 12.158.80.10 .. might not be the best solution for the problem but since i have no control over my dns this was a simply and easy trick.
    • continue... in WINdows you can simply do a route add 12.158.80.10 YOUR_PC_IP METRIC n IF n you wont be able to put a gateway to a differnt metric or controler but there is always a route that sets your ip address pointing to your IP address which is the same Metric and IF for route 0.0.0.0 so use that Metric and IF when you add this route.
  • On my windows network I mistyped a name to a network share, and got a username/password required to access this resource prompt. Now I find that Verisign can intercept all traffic to mistypedhost.mycompany.com, they must be intercepting a godawful lot of awfully tasty traffic.
  • Interesting discussion tonight with Verisign/Network solution supprot line (Worldwide: +1-703-742-0914 then 2 then 7). I was complaining that while trying to reach my own mydomain.com (true name replaced here) I did a mistake and was drag to sitefinder.verisign.com and that i didn'' agree with that. The man then went straight to tell me that I should buy misplling variants of my domain name !!! I couldn't believe my ears ! I regret I hadn't a lawer to record the conversation ... The man just agreed finaly
  • I had blocked the Sitefinder service on my firewall by IP address for good measure, but it appeared that ComCast had already blocked it for me too...

    Until yesterday that is. I typoed a domain name and was suddenly looking at the damned Sitefinder page again.

    I pinged the web address of the Sitefinder page and I was getting a different IP address than before. They either moved the damnable thing or they've started playing musical chairs to try to force it past people's barricades. I'm now seeing it at

  • These people aren't just redirecting domains.
    I leave the . in the .com out of my domain and get to sitefinder! they have stolen my domain!

    yea, that
    "Copyright(C) 2003 VeriSign, Inc. All Rights Reserved"
    they have at the bottom of the sitefinder page.
    No, im not respecting their copyright. Gonna download that page, then mirror it on my page, then distribute it all over kazaa and overnet...

    Oh yes, does anyone here mind if we /. them too?
    DDoS verisign?
    Make it a sign of protest.
    Hopefully they will learn to stop

Almost anything derogatory you could say about today's software design would be accurate. -- K.E. Iverson

Working...