[73356] in North American Network Operators' Group
Re: DNS Blocking
daemon@ATHENA.MIT.EDU (Paul Vixie)
Thu Aug 19 17:35:38 2004
From: Paul Vixie <paul@vix.com>
To: nanog@merit.edu
In-Reply-To: Message from "Dan Mahoney, System Admin" <danm@prime.gushi.org>
of "Thu, 19 Aug 2004 15:19:32 -0400."
<20040819151906.F70328@prime.gushi.org>
Date: Thu, 19 Aug 2004 21:35:06 +0000
Errors-To: owner-nanog-outgoing@merit.edu
i wrote:
> > ... confuse and make errors for whoever queries it:
> >
> > @ SOA localhost hostmaster.localhost
> > NS localhost
> > localhost A 127.0.0.1
> > * MX 0 localhost
> > A 127.0.0.1
> >
> > if you put a zone like that in place on a server that's receiving
> > unwanted queries for some zone, they will soon stop, or not. you
> > win either way -- the queries stop, or you laugh your ass off.
dan answered:
> There weren't rfc1918.
i'm sorry if i mixed too many topics in one post. it doesn't have to be
rfc1918. let's say that someone registers a zone, let's call it
nanogtest.vix.com, and points it at your nameservers without your
permission. in response, let's create a zone file with this content:
---
@ SOA localhost hostmaster.localhost 42 3600 1800 604800 3600
NS localhost
localhost A 127.0.0.1
* MX 0 localhost
A 127.0.0.1
---
note that this content is all-purpose. it doesn't matter what the real
zone is called. in bind's named.conf, add something like this:
---
zone "nanogtest.vix.com" {
type master;
file "pri/nanogtest.vix.com";
};
---
and you're done. any query that anyone sends to your server for that zone
will be sent something that will hurt them. eventually they will realize
that it's hurting them, and they will stop.
