Re: DNS Server

Wed, 07 Oct 2009 07:57:41 -0700 

Agarwal Vivek-RNGB36 wrote:

Hi All
Im using a BIND 9.3. I have been asked to block the responses from some of the 
DNS Servers in the internet. Is there any way how can I do that
It's not clear what you're trying to do. Block *responses*? So, you're going to send these nameservers queries, but you don't want to see the responses (?) Why send them queries in the first place then? It would just be wasted traffic. Arguably, you might even be guilty of a Denial of Service attack. 
If you want to prevent sending queries to specific nameservers, then the 
only way I know of to accomplish that within BIND is with individual 
"server" statements, specifying "bogus":

server a.b.c.d {
   bogus yes;
};


Alternatively, you could do this outside of BIND, using a firewall or 
similar device, specifically dropping outgoing packets to those 
destinations with the QR (Query Response) bit clear, or incoming packets 
from those sources with QR set to 1. This would focus the drops on query 
transactions initiated by your nameserver to those other "prohibited" 
nameservers.

If you want to block the ability of those nameservers to query *you*, 
then some of the other suggestions in this thread apply, e.g. null 
route, blackhole, allow-query, etc. Note that "blackhole" (and I suppose 
null-routing as well) affects both incoming and outgoing transactions, 
but can lead to undesirable behavior if the other side simply keeps 
timing out and retrying its queries. allow-query gives an unambiguous 
REFUSED response and is more likely to shut the other side up. But 
allow-query doesn't apply to outgoing queries, so you need to clarify 
exactly what it is that you're trying to accomplish.

Another option I'd consider for incoming queries is to set up a special 
view for the "prohibited" nameservers. You could then put anything you 
wanted in that view, e.g. an empty root zone, a wildcard pointing to 
some static web page, etc. But, again, it all depends on what you're 
trying to do...

                                                                        
                                            - Kevin

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to