In article <op.wa5ehqs6a3w0dxdave@hodgins.homeip.net>,
dwhodgins@nomail.afraid.org says...
>
> The point is that since all dns requests coming to that name sever
> are coming from infected clients, it would be easy to have that dns
> server only reply with valid addresses for sites useful in removing
> the the trojan, and reply with an ip address that leads to a web
> server that only shows an instruction page, for all other requests.


I understood that as well. It would be simple for the DNS servers to
route all requests to the equivalent of a 404 error page with
instructions on getting help. It would, of course, break non-http DNS
requests and disable things like smtp, pop, imap, nntp, etc. but most
users would probably figure it out pretty quickly.

What I was wondering about was how VG intended to implement his idea
which was somewhat different. He was going to use the DNS servers to
route the requests to a web server (as above) but that server would then
show the originally requested web page (www.acme.com in his example) but
with the equivalent of a banner ad on the page with instructions on
fixing their DNS. While it would be easy to have the web server build
such a page with content from another server and a customized banner ad,
I'm having trouble understanding how he would pass the URL of the
originally requested page to the temporary web server from the original
DNS request.


--
Whoever - but you can just call me who.
whoever@wherever.invalid