nanog mailing list archives
Re: DNS Blocking
From: Duane Wessels <cee4 () packet-pushers com>
Date: Thu, 19 Aug 2004 14:09:54 -0600 (MDT)
danm () prime gushi org ("Dan Mahoney, System Admin") writes:What I was basically asking for was a "silently drop queries for X-domain" option. But one doesn't exist in bind.take a look at www.as112.net to see what happens to queries for 10.in-addr.arpa and its brothers. you can easily set up a zoneThere weren't rfc1918.
Doesn't matter. But in order for this trick to work:
- The things sending you queries must be able to receive your
replies. I believe you said that source addresses are spoofed,
so this may not be the case.
- The things sending you queries must be smart enough to follow
the NS referral in the response.
If I wanted to silently drop DNS queries based on the query name,
I might use FreeBSD's divert socket and a Perl script to examine
the queries. Not sure well that would scale though.
Duane W.
Current thread:
- DNS Blocking Dan Mahoney, System Admin (Aug 19)
- Re: DNS Blocking Paul Vixie (Aug 19)
- Re: DNS Blocking Dan Mahoney, System Admin (Aug 19)
- Re: DNS Blocking Duane Wessels (Aug 19)
- Re: DNS Blocking Paul Vixie (Aug 19)
- Re: DNS Blocking Mike Lewinski (Aug 19)
- Re: DNS Blocking Suresh Ramasubramanian (Aug 19)
- Re: DNS Blocking Paul Vixie (Aug 19)
- Re: DNS Blocking Dan Mahoney, System Admin (Aug 19)
- Re: DNS Blocking Paul Vixie (Aug 19)