Instead of just checking known-invalid addresses for DNS hijacking, we
 now check randomly generated addresses, and if too many of them map to
 the same IP, we assume that IP is the destination of a DNS hijack
 attempt.
 
 A little bird tells me that some DNS hijackers think that declining to
 give an A record for RFC2606 addresses (like .invalid and .example)
 makes them more standards compliant.  Standardswise, this is like an
 illicit brothel making sure that nobody has pulled the tags off the
 mattresss, but that doesn't get us out of working around it.
 


svn:r8465