The other day I wished for a patched DnsMasq to block Verisign. Pleased to say it works!
The docs aren't very prescriptive and the new versign-blocker isn't documented at all, so here's what I did. 1. If you're running Woody or Sid, you'll have dhcp-client. DnsMasq recommends resolvconf, and dhcp3-client or dhcpcd or ... It's a whole kettle of fish. 2. So, to keep it simple, I patched /etc/dhclient-script: --- dhclient-script.orig 2003-09-18 22:58:20.000000000 -0700 +++ /etc/dhclient-script 2003-09-18 23:09:11.000000000 -0700 @@ -33,10 +33,12 @@ } make_resolv_conf() { + echo search $new_domain_name >/etc/resolv-up.conf echo search $new_domain_name >/etc/resolv.conf for nameserver in $new_domain_name_servers; do - echo nameserver $nameserver >>/etc/resolv.conf + echo nameserver $nameserver >>/etc/resolv-up.conf done + echo nameserver 127.0.0.1 >>/etc/resolv.conf } 3. Then I patched /etc/dnsmasq.conf: --- dnsmasq.conf.orig 2003-09-18 23:05:47.000000000 -0700 +++ /etc/dnsmasq.conf 2003-09-18 23:22:10.000000000 -0700 @@ -12,12 +12,15 @@ # to the name of the host running dnsmasq. #mx-host= #mx-target= -#selfmx +selfmx #localmx +filterwin2k +bogus-nxdomain=64.94.110.11 +bogus-priv # Change this line if you want dns to get its upstream servers from # somewhere other that /etc/resolv.conf -#resolv-file= +resolv-file=/etc/resolv-up.conf # Add other name servers here, with domain specs if they are for # non-public domains. @@ -40,7 +43,7 @@ # If you want dnsmasq to listen for requests on only one interface # (and the loopback) give the name of the interface (eg eth0) here -#interface= +interface=lo # Change these if you want dnsmasq to cache any "hostname" # or "client-hostname" from a dhcpd's lease file @@ -51,7 +54,7 @@ #domain-suffix= # Set the cachesize here. -#cache-size=600 +cache-size=600 # Normally responses which come fomr /etc/hosts and the DHCP lease # file have Time-To-Live set as zero, which conventionally means --------------------------------- I have some tweaker-scripts that I run after a fresh install. First I patch dhclient-script, down/up eth0, patch dnsmasq.conf, and restart dnsmsaq. ---- Thought I'd share what I figure out with anybody else who wants to block the Verisign in "the simplest way possible". I'm sure most experts are running more sophisticated solutions -- but I like simple solutions. Comments? -Tom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]