Bind 8.4.1 patch for blocking Verisign's new wildcard DNS record

Clayton Braun vvarm at hotmail.com
Thu Sep 18 04:35:24 UTC 2003


Ok, here's a second attempt at a patch for V8.4.1.  This has undergone
some testing, enough that we're putting it into production
temporarily.  The troubles we're having from this wildcard stuff
outweigh the risk that this patch may not be kosher.  It returns an
NXDOMAIN response to downstream queries for upstream answers that
contained the 64.94.110.11 A record.  Obviously this is no good if
that IP address changes.  It's not meant to be a long term fix, and I
suggest serious caution and testing before you think of using it
yourself.  The intended purpose is to tie us over a few days until an
official v8 patch is released, or Verisign surrenders, etc.

Copy the patch text to a file (assume "patchfile")
untar the 8.4.1 source

bash-2.05# cd src
bash-2.05# patch < patchfile
  Looks like a normal diff.
File to patch: bin/named/ns_resp.c
done

310a311
>       int wasCaught = 0;
973a975,985
>
>                       /* Beginning of anti-Verisign catch */
>                       char catchIp[] = { 64, 94, 110, 11 };
>                       if (type == ns_t_a && memcmp(dp->d_data, catchIp, 4) == 0)
>                       {
>                               db_detach(&dp);
>                               wasCaught = 1;
>                               break;
>                       }
>                       /* End of anti-Verisign catch - Golgi Group */
>
1223a1236
>
1239a1253,1294
>       if(wasCaught == 1)
>         {
>               count = 0;
>               cname = 0;
>               founddata = 0;
>               dname = name;
>               newmsglen = MIN(EDNS_MESSAGE_SZ, msglen);
>               memcpy(newmsg, msg, newmsglen);
>               hp = (HEADER *) newmsg;
>               hp->qdcount = htons(1);
>               hp->ancount = htons(0);
>               hp->nscount = htons(0);
>               hp->arcount = htons(0);
>               hp->rcode = NXDOMAIN;
>               dnptrs[0] = newmsg;
>               dnptrs[1] = NULL;
>               cp = newmsg + HFIXEDSZ;
>               n = dn_expand(newmsg, newmsg + newmsglen, cp, dname, sizeof name);
>               if (n < 0) {
>                       ns_debug(ns_log_default, 1, "dn_expand failed");
>                       goto servfail;
>               }
>               if (!res_dnok(dname)) {
>                       ns_debug(ns_log_default, 1, "bad name (%s)", dname);
>                       goto servfail;
>                 }
>                 cp += n + QFIXEDSZ;
>                 buflen = (qp->q_stream != NULL) ? NS_MAXMSG : MIN(EDNS_MESSAGE_SZ, qp->q_udpsize);
>                 buflen -= (cp - newmsg);
>                 /*
>                * Reserve space for TSIG / EDNS
>                */
>               if (qp->q_tsig != NULL)
>                       buflen -=  qp->q_tsig->tsig_size;
>                 if ((qp->q_flags & Q_EDNS) != 0)
>                         buflen -= 11;
>               if (!NS_OPTION_P(OPTION_NONAUTH_NXDOMAIN))
>                       hp->aa = 1;
>               ns_debug(ns_log_default, 3, "resp: NXDOMAIN aa = %d", hp->aa);
>               goto return_newmsg;
>       }
>
1277a1333
>

Feel free to email me with questions.
Clay

vvarm at hotmail.com (Clayton Braun) wrote in message news:<bka2i1$17df$1 at sf1.isc.org>...
> gnews at stereo.lu (Guillaume Rischard) wrote in message news:<bk7hdt$1m8q$1 at sf1.isc.org>...
> > Hello,
> > 
> > Andrew Church has published an untested patch at 
> > http://achurch.org/bind-verisign-patch.html . Here is what he writes:
> > 
> > > BIND 8 patch for Verisign stupidity
> > > 
> > > This page provides a patch to BIND 8 to ignore the wildcard A record
> > > Verisign is now returning for unregistered .com/.net domains.  It was
> > > cooked up over 10 minutes of pure anger and has not been properly
> > > tested; it would be better to be able to specify which IPs to ignore in
> > > the configuration file.  Suggestions or improved patches are very
> > > much welcomed.  
> > > 
> > > This patch was made against BIND 8.4.1.
> > 
> > Here is the acual patch:
> > 
> > ---cut here---
> > 
> > --- src/bin/named/ns_resp.c.old	2003-05-30 20:52:14 +0900
> > +++ src/bin/named/ns_resp.c	2003-09-16 12:09:30 +0900
> > @@ -971,6 +971,15 @@
> >  */
> >  		if (i < ancount) {
> >  			/* Answer section. */
> > +			/* HACK to kill Verisign stupidity
> > +			 *   --achurch at achurch.org */
> > +			char IP_TO_KILL[] = {64,94,110,11};
> > +			if (type == ns_t_a
> > +			 && memcmp(dp->d_data, IP_TO_KILL, 4) == 0
> > +			) {
> > +				validanswer = 0;
> > +				continue;
> > +			}
> >  			/*
> >  			 * Check for attempts to overflow the buffer in
> >  			 * getnameanswer.
> > 
> > ---cut here---
> > 
> > Cheers,
> > 
> > Guillaume
> > 
> > "Christopher X. Candreva" <chris at westnet.com> wrote in message news:<bk5ek8$2vuh$1 at sf1.isc.org>...
> > > Verisign is now returning a wildcard record for any unregistered .net
> > > domain, with .com soon to follow.  This is to redirect all such requests to
> > > their own search site.
> > > 
> > > Now, the IP they are returning currently is 64.94.110.11. It just occurred
> > > to me, is it possible to configure bind such that any lookup that returns
> > > that IP returns Host not found  instead ?
> > > 
> > > If Verisign is determined to break DNS, perhaps we can break it back ?
> 
> In a previous post (if it makes it here) I suggested another patch
> that provides an NXDOMAIN response.  DO NOT USE that patch, it does
> not return a properly formatted NXDOMAIN response.  I would wait for
> someone to come out with a cleaner solution, and I'll be working on
> one myself.


More information about the bind-users mailing list