I think having the ISC DNS changer sinkhole servers return the DCWG check page IP for all queries would be a good final act.
> -----Original Message----- > From: Andrew Fried [mailto:andrew.fr...@gmail.com] > Sent: Friday, July 06, 2012 11:16 AM > To: Cameron Byrne > Cc: nanog@nanog.org > Subject: Re: DNS Changer items > > The DNS redirection began on November 8, 2011. The servers were > instrumented to capture a very small portion of the dns data (source ip and > port only) so that reports of infected users could be sent to the ISPs via > reporting organizations like Shadowserver. > > Some ISPs did create walled gardens. Some merely redirected affected > customers to their own internal DNS servers. Some ISPs did aggressive > notifications to their users. And some ISPs did nothing. > > Sites were set up to allow users to check their systems (dns-ok.us, etc). The > DCWG set up an information site to provide information on how to detect > the DNSchanger infection and how to fix it. AV companies provided tools to > help clean up systems, and the tools were published on the DCWG.org > website. > > The FBI went to great lengths to get press coverage to get the word out. > > This operation has been ongoing for 7 months, 27 days and 14 hours. > > How much more of a graceful ramp down could there have been? > > Andy > > Andrew Fried > andrew.fr...@gmail.com > > > On 7/6/12 1:52 PM, Cameron Byrne wrote: > > So insteading of turning the servers off, would it not have been > > helpful to have the servers return a "captive portal" type of reponse > > saying "hey, since you use this server, you are broken, go here to get fixed" > > > > Seems that would have been a more graceful ramp down. > > > > CB > > >