On 12-07-07 10:13 PM, Jason Duerstock wrote:
As an intellectual exercise, I think this is interesting and worth the
effort. As an actual implementation, I think it's more effective to block
DNS traffic to the affected subnets. Let the breakage occur, and then let
the end users get their broken machines fixed rather than let them continue
hobbling along with this hack in place.
Jason
Agreed, fixing the problem > patching the problem.
Some other ideas -
* Assuming you're running the nameserver under Linux, an iptables rule
would remove the need to have all the ip addresses added (iptables
-I PREROUTING -t nat -d $badblock/24 -s 0.0.0.0/0 -j DNAT --to
your.local.ip.address)
* bind should by default accept connections on all interfaces if you
don't tell it to bind to anything, unless behaviour has changed in
versions more recent than my last bind experience
* Having whatever nameserver you use return a single IP address for
everything you request, which points you to a single web page that
explains how to fix the problem can be good
* that single IP address can also run a pop3/imap server that accepts
any username/password and dumps the user into a read-only mailbox
with a single message saying "fix your infected PC"
