1 Vendémiaire CCXII (September 22, 2003)
Depart Then, Impious One. Depart, Accursed One. Depart With All Your Deceits
For the past couple of days on Slashdot there's been debate related to Verisign's site finder technology. (See stories from: Sept. 11, Sept. 15, Sept. 17, Sept. 19, Sept. 20) For those who are unaware of what it does and are too lazy to click the links, essentially what's happened is that they've added a wild card to the root DNS servers for .com, and .net TLDs. Whenever you make a search that doesn't match any entry in their servers it returns an address of 64.94.110.11 – or sitefinder.verisign.com. Essentially like the feature in Internet Explorer that searches for mistyped URLs using MSN, except that you can't turn it off.
Anyways, getting to the point here. I had my first encounter with it tonight when I was attempting to access the website of a former employer to find out whether they gave the address of their New Brunswick offices as being in Sussex or Pennobsquis. I missed the 'a' and ended up with potshcorp.com.
My first clue that something was wrong came when Firebird popped up a window asking me if I wanted to let verisign.com set a cookie. Wait a minute here…cookie? Verisign? I shouldn't be getting any of those. Next thing I know I'm treated to a blue and white webpage with a search box across the top and a list of 'corrected' URLs for me to try. The fact that I'm posting this with a passage from the Roman Ritual as the title should be a clue as to how I felt about these developments.
To make things even better, not one of the domains that were suggested (www.ots-corp.com, www.otscorp.com, www.hcorp.com, and www.tothcorp.com) were the right one. It makes me think that their algorithm might need a little work. I mean www.hcorp.com? Yes, because I accidentally entered four extra characters without somehow noticing it.
A solution quickly presented itself though; I just nipped into my bind config files and made a few keystrokes. Presto! I was now authoritative for *.verisign.com1 for all machines that used my server to resolve addresses. It gave me a nice warm and rosy feeling inside. Really it did.
1 I did later relent and I'm now only authoritative for sitefinder.verisign.com. I'm not planning on ever wanting to visit a Verisign website, but it still could happen.
So you run your own DNS server? What software do you recommend?
I use bind9 as I know how to set it up well enough to do what I want it to do. That and it's likely to be what I'll discover if I ever have to fix someone else's DNS server.
Of course, I know there's plenty of people who refuse to touch bind for various reasons. (Size, security -- previous versions of bind (especially prior to bind8) had some major security issues -- and simplicity seem to be the main reasons.) I've never had any issues though.
In reality I don't actually do that much resolving with my nameserver; it's set to forward any domains that it's not authoritative for off to NBTel's DNS servers and it refuses to allow any connections from outside my local subnet. It's mainly so I can refer to my weberver and what-not by name rather than IP.
Posted by g026r at 1 Vendémiaire CCXII 13:57 (2003/09/22)
-
-
-
