On Mar 19, 2019, at 3:50 AM, Eliot Lear <l...@cisco.com> wrote: > It might also be possible to whitelist ANSWERs into iptables. I wrote the > code for that for a dnscap plugin some years ago, and you could even play > with it if you want (it’s on GitHub), but I’m not suggesting it’s a good > general answer (it was intended for a very specific use case involving > relatively few domains for (hopefully cooperating) IoT devices). As you > point out, it won’t tackle shared IP addresses, and quite frankly, little CPE > gear won’t scale with a gazillion iptables entries (I’m not sure big gear > would either).
Link?
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
