For some reason those rules wrapped to one line on the bounce back - each rule starts with the -A and ends with the DROP.
-----Original Message----- From: bind-users-bounces+jlightner=water....@lists.isc.org [mailto:bind-users-bounces+jlightner=water....@lists.isc.org] On Behalf Of Lightner, Jeff Sent: Monday, October 17, 2011 9:29 AM To: TCPWave Customer Care; babu dheen Cc: bind-users@lists.isc.org Subject: RE: DNS Sinkhole in BIND While setting up blackholes in BIND works fine when I did this on Linux I found that setting up iptables to do drops for known bad IPs/ranges was slightly better as the traffic never gets to BIND in the first place as it is stopped at kernel level. It simply DROPs the packet without telling the bad guys why packets didn't go through. Example rules for various IPs that have annoyed me in the past: -A RH-Firewall-1-INPUT -s 68.222.240.22 -j DROP -A RH-Firewall-1-INPUT -s 203.142.82.222 -j DROP -A RH-Firewall-1-INPUT -s 217.54.97.137 -j DROP -A RH-Firewall-1-INPUT -s 217.219.20.226 -j DROP -A RH-Firewall-1-INPUT -s 218.212.248.7 -j DROP Of course you can do ranges as well in iptables. Also you should be sure that you're restricting things like recursion and cache to trusted environments (i.e. internal lookups) while still allowing lookups for domains you're authoritative for to the outside. -----Original Message----- From: bind-users-bounces+jlightner=water....@lists.isc.org [mailto:bind-users-bounces+jlightner=water....@lists.isc.org] On Behalf Of TCPWave Customer Care Sent: Sunday, October 16, 2011 7:43 PM To: babu dheen Cc: bind-users@lists.isc.org Subject: Re: DNS Sinkhole in BIND Babu The following example defines two access control lists and uses an options statement to define how they are treated by the nameserver: acl black-hats { 10.0.2.0/24; 192.168.0.0/24; }; acl red-hats { 10.0.1.0/24; }; options { blackhole { black-hats; }; allow-query { red-hats; }; allow-recursion { red-hats; }; } This example contains two access control lists, black-hats and red-hats. Hosts in the black-hats list are denied access to the nameserver, while hosts in the red-hats list are given normal access. Regards TCPWave Customer Care On Sun, 2011-10-16 at 23:30 +0530, babu dheen wrote: > Hi, > > Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit > edition. > > Regards > babu > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer --------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ---------------------------------- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
