Robert Thomson, a workmate of mine, wrote this hack to filter DNS responses to thwart Verisign's stupid wildcard on root-level domains. It's simple but does the job. Enjoy. --- snip --- #!/usr/bin/python # # Run this as root with the command # twistd -y anti-verisign-dns.py from twisted.internet import app, defer from twisted.protocols import dns from twisted.names import client, server roots = [ ('198.41.0.4',53), ('128.9.0.107',53), ('192.33.4.12',53), ('128.8.10.90',53), ('192.203.230.10',53), ('192.5.5.241',53), ('192.112.36.4',53), ('128.63.2.53',53), ('192.36.148.17',53), ('192.58.128.30',53), ('193.0.14.129',53), ('198.32.64.12',53), ('202.12.27.33',53), ] #roots = [('202.129.64.42',53)] # just use my ISP's DNS VERISIGN='@^n\x0b' # 64.94.110.11 class AntiVerisignResolver(client.Resolver): def filterAnswers(self, message): if message.trunc: return self.queryTCP(message.queries).addCallback(self.filterAnswers) else: for i in range(len(message.answers)): x = message.answers[i] if x.type==1 and x.payload and x.payload.address==VERISIGN: message.answers[i] = None return (filter(lambda x:x,message.answers), message.authority, message.additional) verbosity = 0 resolver = AntiVerisignResolver(servers=roots) f = server.DNSServerFactory(clients=[resolver], verbose=verbosity) p = dns.DNSDatagramProtocol(f) f.noisy = p.noisy = verbosity application = app.Application('Non caching anti-verisign domain name resolver') application.listenUDP(53, p) application.listenTCP(53, f) --- snip --- -Andrew.