this might also help.. http://code.google.com/p/google-dnswall
in a nutshell, its like a DNS proxy server, you can use this to forward to BIND. between your clients and your internal BIND servers. it filters: - Invalid IP address: an IP address that starts with 0; i.e. 0.x.x.x - Node-Local IP address: 127.x.x.x - Link-Local IP address: 169.254.x.x - Site-Local IP address: 10.x.x.x, 172.x.x.x, 192.168.x.x - Multicast IP address: 224.x.x.x ""DNSWall is a proof-of-concept (PoC) tool developed by some security researchers from Stanford University as a protection mechanism against DNS rebinding attacks."" http://securebits.org/blog/blog.php/2008/10/15/dnswall-a-protection-mechanism-against-d --- On Fri, 11/28/08, David Sparks <[EMAIL PROTECTED]> wrote: > From: David Sparks <[EMAIL PROTECTED]> > Subject: Re: rfc1918 ns records coming from internet are queried? > To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > Date: Friday, November 28, 2008, 8:29 AM > Thanks, the suggestion below looks like it might be what > I'm looking for. > > ds > > > You can in fact set up the environment I described > using views. Just > > have the private view forward to the internet view. > The following > > resolving name server will ignore referrals to private > name servers > > for outside names; note that it's missing the > masters list definition > > named "private-auth-servers", plus the > options statement, but is > > otherwise complete. > > > > acl "private" { > > 10/8; > > 172.16/12; > > 192.168/16; > > # does not include 127/8 > > }; > > view "private" { > > match-clients { private; }; > > # forward unknown names to the internet view: > > forward only; > > forwarders { 127.0.0.1; }; > > # stub, slave, or forward zones for the > private namespace: > > zone "private.zone" { > > type stub; > > masters { private-auth-servers; }; > > file "stub.private.zone"; > > forwarders { }; # disable forwarding > for stub zones > > }; > > }; > > view "internet" { > > server 10/8 { bogus yes; }; > > server 172.16/12 { bogus yes; }; > > server 192.168/16 { bogus yes; }; > > allow-query { 127.0.0.1; }; > > }; > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
