Monday, August 17, 2009

New Deadwood snapshot: Workaround for ISPs' error pages

Well, surfing the net this weekend, I discovered that those annoying little "error pages" (usually filled with ads) that some ISPs hoist on customers when they misspell a URL or otherwise go to a page without a DNS entry are actually a potential security problem.

That in mind, I have implemented a new dwood2rc parameter: ip_blacklist. Should an IP appear in an answer that is in the ip_blacklist, Deadwood will reject the answer. I have already implemented and documented the new feature, but I need to make these kinds of answers proper "nothere" replies (not actual NXDOMAINs for technical reasons), add IPv6 support (done in some parts of the code but not all of it), add a SQA regression, then I should be done with this feature.

For people who want to try out the feature in the meantime, it's here:

http://www.maradns.org/deadwood/snap/