In message <20120405221836.ga4...@fantomas.sk>, Matus UHLAR - fantomas writes: > >In message <20120405090858.ga29...@fantomas.sk>, Matus UHLAR - fantomas writ > es: > >> our customer (an ISP) reported that his clients have problems resolving > >> sites like facebook, youtube, aplestores and that the problems only > >> affect apple computers. > >> > >> I notice many requests for dns service discovery: > >> > >> Apr 5 09:47:20 t03 named[8324]: security: info: client 195.168.157.82#328 > 44: > >> query 'cf._dns-sd._udp.132.110.254.10.in-addr.arpa/TXT/IN' denied > >> Apr 5 09:47:20 t03 named[8324]: security: info: client 195.168.157.82#490 > 19: > >> query 'cf._dns-sd._udp.132.110.254.10.in-addr.arpa/TXT/IN' denied > >> Apr 5 09:47:20 t03 named[8324]: security: info: client 195.168.157.82#356 > 47: > >> query 'cf._dns-sd._udp.132.110.254.10.in-addr.arpa/TXT/IN' denied > >> > >> these requests are denied, because we use private IPS from those ranges > >> and I don't want to make them available for users. > >> > >> Can these requests cause resolving problems on Apple computers? > > On 06.04.12 08:09, Mark Andrews wrote: > >Well you are leaking RFC 1918 answers. I would close off the leak by > >using views or different nameservers for your machines. > > I am leaking? :) I am not. client is sending requests and I am denying > them. I have in plan to move those zones to different servers to avoid > this problem, and clients will get empty results.
You are *both* leaking RFC 1918 state. The REFUSED is a leak. You solution sounds fine. > I was curious if these can't cause the problem reported by user, > however it appears not to be the source of it. I'll have to dig > further. REFUSED isn't a expected answer. > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Saving Private Ryan... > Private Ryan exists. Overwrite? (Y/N) > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
