RE: DNS Changer items

["Tomas L. Byrnes" <tomb () byrneit net>]

I think having the ISC DNS changer sinkhole servers return the DCWG
check page IP for all queries would be a good final act.

> -----Original Message-----
> From: Andrew Fried [mailto:andrew.fried () gmail com]
> Sent: Friday, July 06, 2012 11:16 AM
> To: Cameron Byrne
> Cc: nanog () nanog org
> Subject: Re: DNS Changer items
>
> The DNS redirection began on November 8, 2011.  The servers were
> instrumented to capture a very small portion of the dns data (source
ip and
> port only) so that reports of infected users could be sent to the ISPs
via
> reporting organizations like Shadowserver.
>
> Some ISPs did create walled gardens.  Some merely redirected affected
> customers to their own internal DNS servers.  Some ISPs did aggressive
> notifications to their users.  And some ISPs did nothing.
>
> Sites were set up to allow users to check their systems (dns-ok.us,
etc).  The
> DCWG set up an information site to provide information on how to
detect
> the DNSchanger infection and how to fix it.  AV companies provided
tools to
> help clean up systems, and the tools were published on the DCWG.org
> website.
>
> The FBI went to great lengths to get press coverage to get the word
out.
> This operation has been ongoing for 7 months, 27 days and 14 hours.
>
> How much more of a graceful ramp down could there have been?
>
> Andy
>
> Andrew Fried
> andrew.fried () gmail com
>
>
> On 7/6/12 1:52 PM, Cameron Byrne wrote:
> > So insteading of turning the servers off, would it not have been
> > helpful to have the servers return a "captive portal" type of
reponse
> > saying "hey, since you use this server, you are broken, go here to
get fixed"
> > Seems that would have been a more graceful ramp down.
> >
> > CB