Blocking Verisign?

  • Thread starter Thread starter Matt
  • Start date Start date
M

Matt

Has anyone figured out a way to block or fix Verisign's blunder with DNS
for *.com and *.net on Microsoft DNS servers? Basically I want my DNS
to continue to return an NX record when the domain doesn't exist.

~ Matt
 
Until MS comes out with a patch, the only way right now is to forward to a
BIND server that has the P1 patch and configure config file accordingly.
 
You actually think Microsoft will come out with a patch for this? I
highly doubt it.. but then.. you never know.....
This P1 patch you speak of.. what is it? I was not aware that BIND had
a work around for verisign's stupidity already.

~ Matt
 
We are a small company that uses DHCP but this Verisign
deal really screwed things up. I don't know if this is
the correct answer but i was able to solve this issue. I
currently run a W2K server with AD, DNS and DHCP on the
same server. I added the IP of my W2K server to my DHCP
DNS scope option and made sure it was first in the list.
Rebooted all machines and solved the issue for the time
being.

Bill
 
currently run a W2K server with AD, DNS and DHCP on the
same server. I added the IP of my W2K server to my DHCP
DNS scope option and made sure it was first in the list.
Rebooted all machines and solved the issue for the time
Click to expand...

FYI - Your internal DNS server(s) should be the only ones in the list. If
you had ISP dns servers in there, you probably had many other rez issues.
Unfortunately, this does not fix the Verisign thing. If a client mistypes a
domain name in IE for example (and that domain does not exist) they will be
shown the Verisign page.
 
I tested playing around with making a *.com zone and a *.net zone. Then I
just created a blank host pointing to a non used IP on my subnet. That seems
to work and giving me the usual DNS error IE page. I'll play around a bit
and test it out some more to see if I want to keep it that way.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Not sure I understand Ace. Didn't you just do what verisign has done? How
will you resolve anything in the .com zone that you are not authoritive for
(i.e you INET rez)?

--
William Stacey, DNS MVP

"Ace Fekay [MVP]"
I tested playing around with making a *.com zone and a *.net zone. Then I
just created a blank host pointing to a non used IP on my subnet. That seems
to work and giving me the usual DNS error IE page. I'll play around a bit
and test it out some more to see if I want to keep it that way.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

William Stacey said:
FYI - Your internal DNS server(s) should be the only ones in the list. If
you had ISP dns servers in there, you probably had many other rez issues.
Unfortunately, this does not fix the Verisign thing. If a client
Click to expand...
mistypes
Click to expand...
 
Yes, I pretty much did the same thing. Just created a *.zone It seems to be
resolving fine. Try it out. After you create it, clear the server cache,
clear the client cache, clear the browser cache, close the browser, and give
it a shot. Do some tests with nslookup with your server as the focus, etc.
Cool... I guess if your tests mirror my tests that they pass, I guess then
we won't need a hotfix. unless I'm wrong about this...
:-)

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

William Stacey said:
Not sure I understand Ace. Didn't you just do what verisign has done? How
will you resolve anything in the .com zone that you are not authoritive for
(i.e you INET rez)?
Click to expand...
 
Sorry Ace, still did not follow. Are you saying create a "com" zone and add
a wildcard to some arbitrary IP? What do you mean by "*.zone" ? Cheers!
 
Until MS comes out with a patch, the only way right now is to forward
to a BIND server that has the P1 patch and configure config file
accordingly.
Click to expand...

Calling it the "P1 patch" is going to be misleading in the long run, as ISC
releases sequential patches (P1, P2, P3, ...) for any given release, and
this only applies to 9.2.3. Better to call it the delegatation patch, I
think.

(And I just found out that the "P" in openssh version numbers is for
portable, not patch level. OpenSSH is built for BSD, then ported to other
OS's. The great things about standards is that there are so many to choose
from!)
 
Something like that.

All I did was create a *.com zone (rt-click, new zone, typed in *.com). Then
I created a blank host record, and pointed it to an unused IP in my subnet.
This couild be any IP that's not being used. Even be a private IP. I then
did the same thing for a *.net zone (rt-click, new zone, typed in *.net).

Hey, it's working like a charm!

Cheers!
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Maybe I'm on to something here.. IT seems too easy for this to seem to work,
but it is!
 
I'll call it a fried egg if you want. That was just what the guy (Mark
Andrews) who posted the patch called it (i.e. BIND 9.2.2-P1, BIND 9.1.3-P1,
etc.) It is also available for 9.1.3, 9.2.2, and 9.2.3 and I have seen some
noise about 8.x version but not sure. Cheers!
 
This can't work, unless I miss what your trying to do. Try it in the net
zone. Create a "*.net" zone (i.e. with the "*"). Add a wildcard pointing
to 192.168.0.1 or what ever and do a query for some domain not registered
like:
C:\WINNT\system32\dns>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\WINNT\system32\dns>dig anydomain23ssssd.net a

; <<>> DiG 9.2.2 <<>> anydomain23ssssd.net a
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13

;; QUESTION SECTION:
;anydomain23ssssd.net. IN A

;; ANSWER SECTION:
anydomain23ssssd.net. 900 IN A 64.94.110.11

;; AUTHORITY SECTION:
net. 172800 IN NS d.gtld-servers.net.
net. 172800 IN NS j.gtld-servers.net.
net. 172800 IN NS l.gtld-servers.net.
net. 172800 IN NS m.gtld-servers.net.
net. 172800 IN NS b.gtld-servers.net.
net. 172800 IN NS g.gtld-servers.net.
net. 172800 IN NS a.gtld-servers.net.
net. 172800 IN NS f.gtld-servers.net.
net. 172800 IN NS k.gtld-servers.net.
net. 172800 IN NS e.gtld-servers.net.
net. 172800 IN NS i.gtld-servers.net.
net. 172800 IN NS h.gtld-servers.net.
net. 172800 IN NS c.gtld-servers.net.

;; ADDITIONAL SECTION:
d.gtld-servers.net. 172800 IN A 192.31.80.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
m.gtld-servers.net. 172800 IN A 192.55.83.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
a.gtld-servers.net. 172800 IN A 192.5.6.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
c.gtld-servers.net. 172800 IN A 192.26.92.30

;; Query time: 203 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 19 09:27:35 2003
;; MSG SIZE rcvd: 483


C:\WINNT\system32\dns>dig anydomain23ssssd.*.net a

; <<>> DiG 9.2.2 <<>> anydomain23ssssd.*.net a
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;anydomain23ssssd.*.net. IN A

;; ANSWER SECTION:
anydomain23ssssd.*.net. 3600 IN A 192.168.0.1

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 19 09:28:09 2003
;; MSG SIZE rcvd: 56


The first query will still go out to the forwarder and look for
"anydomain23ssssd.net", and you will get the Verisign wildcard which returns
their IP. What you have done (If I understand you) is make yourself
authoritive for the "*" subdomain of the "net" domain. So the second query
above will return your wildcard. However this does not help with the
verisign thing unless I missed what your saying. If I did miss what your
saying, please post the zone master file so I can better see what your
doing. And maybe your "dig" output to show how your testing success on
this. Thanks Ace man.
 
Hi William,

Actually in class right now. But I created the *.com zone here with my
instructor machine too. I don't have much time till tonite to dig it, but
will get back to you with it.

Here's a copy of the zone (192.168.5.100 is unused):
===========================
;
; Database file _.com.dns for *.com zone.
; Zone version: 2
;

@ IN SOA london.nwtraders.msft.
admin.nwtraders.msft. (
2 ; serial number
900 ; refresh
600 ; retry
86400 ; expire
3600 ) ; minimum TTL

;
; Zone NS records
;

@ NS london.nwtraders.msft.

;
; Zone records
;

@ A 192.168.5.100
=========================

Ace
 
Ace,

I'm pretty much a newbie here could you give me a newbie explaination of
what you did and how it handles this issue?
We are having problems with Sprint who is one of our forwarders and we are
in the process of tracking down our problems with them and this verisign
thing is just making it harder for us to trace what the heck is going on.
If there is a good solution then I would like to deploy it.

Thanks for any help you can offer.
 
Nah, I almost thought I was on to something there. I thought I had it
working the other night when I tested it, but now when I tested it, it comes
back with the Verisign IP: 64.94.110.11. Darn.....

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top