--- bind-9.2.1/bin/named/client.c.orig	2002-04-22 21:53:53.000000000 -0400
+++ bind-9.2.1/bin/named/client.c	2003-09-16 12:03:28.000000000 -0400
@@ -808,6 +808,44 @@
 	ns_client_next(client, result);
 }
 
+static int
+sanitize_vsgn(dns_message_t *msg) {
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdataset_t *rds;
+	dns_rdata_t rd;
+	unsigned int inet = htonl(0x405e6e0b);
+
+	result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
+	if (result != ISC_R_SUCCESS)
+	       return (0);
+
+	while (result == ISC_R_SUCCESS) {
+	       name = NULL;
+	       dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
+	       rds = NULL;
+	       result = dns_message_findtype(name, dns_rdatatype_a,
+					     0, &rds);
+	       if (result == ISC_R_SUCCESS) {
+		       result = dns_rdataset_first(rds);
+		       if (result != ISC_R_SUCCESS)
+			       return (0);
+		       while (result == ISC_R_SUCCESS) {
+			       dns_rdata_init(&rd);
+			       dns_rdataset_current(rds, &rd);
+			       if (memcmp(rd.data, &inet, 4) == 0) {
+				       msg->rcode = dns_rcode_nxdomain;
+				       return (1);
+			       }
+			       result = dns_rdataset_next(rds);
+		       }
+	       }
+	       result = dns_message_nextname(msg, DNS_SECTION_ANSWER);
+	}
+
+	return (0);
+}
+
 void
 ns_client_send(ns_client_t *client) {
 	isc_result_t result;
@@ -817,12 +855,24 @@
 	isc_region_t r;
 	dns_compress_t cctx;
 	isc_boolean_t cleanup_cctx = ISC_FALSE;
+	isc_boolean_t evil;
 	unsigned char sendbuf[SEND_BUFFER_SIZE];
 
 	REQUIRE(NS_CLIENT_VALID(client));
 
 	CTRACE("send");
 
+	/*
+	* Search the message for any of the (currently) hard-coded
+	* IP addresses that we will refuse to give out.
+	*/
+	evil = ISC_TF(sanitize_vsgn(client->message));
+
+      if (evil)
+	       CTRACE("IsEvil");
+	else
+	       CTRACE("IsNotEvil");
+
 	if ((client->attributes & NS_CLIENTATTR_RA) != 0)
 		client->message->flags |= DNS_MESSAGEFLAG_RA;
 
@@ -851,20 +901,22 @@
 		if (result != ISC_R_SUCCESS)
 			goto done;
 	}
-	result = dns_message_rendersection(client->message,
-					   DNS_SECTION_QUESTION, 0);
-	if (result == ISC_R_NOSPACE) {
-		client->message->flags |= DNS_MESSAGEFLAG_TC;
-		goto renderend;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto done;
-	result = dns_message_rendersection(client->message,
-					   DNS_SECTION_ANSWER,
-					   DNS_MESSAGERENDER_PARTIAL);
-	if (result == ISC_R_NOSPACE) {
-		client->message->flags |= DNS_MESSAGEFLAG_TC;
-		goto renderend;
+	if (!evil) {
+		result = dns_message_rendersection(client->message,
+						   DNS_SECTION_QUESTION, 0);
+		if (result == ISC_R_NOSPACE) {
+			client->message->flags |= DNS_MESSAGEFLAG_TC;
+			goto renderend;
+		}
+		if (result != ISC_R_SUCCESS)
+			goto done;
+		result = dns_message_rendersection(client->message,
+						   DNS_SECTION_ANSWER,
+						   DNS_MESSAGERENDER_PARTIAL);
+		if (result == ISC_R_NOSPACE) {
+			client->message->flags |= DNS_MESSAGEFLAG_TC;
+			goto renderend;
+		}
 	}
 	if (result != ISC_R_SUCCESS)
 		goto done;
@@ -875,7 +927,7 @@
 		client->message->flags |= DNS_MESSAGEFLAG_TC;
 		goto renderend;
 	}
-	if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS)
 		goto done;
 	result = dns_message_rendersection(client->message,
 					   DNS_SECTION_ADDITIONAL, 0);