Perhaps it is time for resolver libraries to have the ability to equate
certain IP addresses with NXDOMAIN. At least that way we can recognize
that it is happening and fix our own servers on am individual basis.
Sort of a DNS blacklist.
In article <200711051726.lA5HQpft019903@larry.centergate.com> you write:
I just wish the IETF would acknowledge this and go ahead and define a
DNS bit for artificial DNS answers for all these "address correction" and
"domain parking" and "domain tasting" people to use for their keen
"Web 2.0" ideas.Yes, let's let the IETF go off for 7 years to debate and try to put
into an RFC something else that won't actually be used. Sorry Sean,
you've lost me on this one.John
You already have the bits for SE (and other signed
infrastructure zones) that allow you to detect when this
sort of garbage is pulled. All you have to do is deploy
a DNSSEC aware resolver.
Mark
Just recently in NYC, the hotel "internet" connection did intercept any UDP traffic to *:53, redirecting it to their resolver. Which did not only serve their own A records for names that should have returned NXDOMAIN, but also returned "better" answers than you normally would get (requesting pages from www.weather.com delivered pages from www.accuweather.com). Of course it even did that after I had paid and clicked through their walled garden site.
Stefan
I believe it's been said here many times before, but when in public venues,
the only way to be sure about anything in regards to traffic filtering and
manipulation is to VPN into your corporate network and bypass all that.
Unfortuanately, it makes streaming the latest episode of Heroes a little
jerky.
Frank