[73354] in North American Network Operators' Group
Re: DNS Blocking
daemon@ATHENA.MIT.EDU (Duane Wessels)
Thu Aug 19 16:10:54 2004
Date: Thu, 19 Aug 2004 14:09:54 -0600 (MDT)
From: Duane Wessels <cee4@packet-pushers.com>
To: "Dan Mahoney, System Admin" <danm@prime.gushi.org>
Cc: nanog@merit.edu
In-Reply-To: <20040819151906.F70328@prime.gushi.org>
Errors-To: owner-nanog-outgoing@merit.edu
> > danm@prime.gushi.org ("Dan Mahoney, System Admin") writes:
> >
> >> What I was basically asking for was a "silently drop queries for X-domain"
> >> option. But one doesn't exist in bind.
> >
> > take a look at www.as112.net to see what happens to queries for
> > 10.in-addr.arpa and its brothers. you can easily set up a zone
>
> There weren't rfc1918.
Doesn't matter. But in order for this trick to work:
- The things sending you queries must be able to receive your
replies. I believe you said that source addresses are spoofed,
so this may not be the case.
- The things sending you queries must be smart enough to follow
the NS referral in the response.
If I wanted to silently drop DNS queries based on the query name,
I might use FreeBSD's divert socket and a Perl script to examine
the queries. Not sure well that would scale though.
Duane W.
