Hello everyone
I am trying to figure out the way to drop a domain name DNS resolution
before it hits application server. I do not want to do domain to IP mapping
and block destination IP (and source IP blocking is also not an option).
I can see that a string like this:
iptables -A INPUT -p udp
On Saturday, February 08, 2014 09:08:43 AM Mikael
Abrahamsson wrote:
> I have never heard anyone refer to SLAAC as IA_NA.
Because it's not.
I said "prefer DHCP_IA_NA to ND/RA".
> When saying IA_NA and IA_PD, you should take for granted
> people mean DHCP.
Anders asked whether ND/RA for the CP
This is going to be tricky to do, as DNS packets don't necessarily contain
entire query values or FQDNs as complete strings due to packet label
compression (remember, original DNS only has 512 bytes to work with).
You can use those u32 module matches to find some known-bad packets if
they're suffi
Hi all,
Just wanted to say thanks to all who replied on and off list to my original
inquiry.
I'd sum up feedback as follows:
- Although Cogent has been surprisingly good for some, in general almost
everyone agreed that it should never be relied upon as your main Internet
provider. As a
On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff wrote:
> This is going to be tricky to do, as DNS packets don't necessarily contain
> entire query values or FQDNs as complete strings due to packet label
> compression (remember, original DNS only has 512 bytes to work with).
Howdy,
The DNS query
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Have you looked at perhaps using DNS RPZ (Response Policy Zones)?
https://dnsrpz.info/
- - ferg
On 2/8/2014 12:08 AM, Anurag Bhatia wrote:
> Hello everyone
>
>
> I am trying to figure out the way to drop a domain name DNS
> resolution before
You could use RPZ but wouldn't something as simple as putting these two entries
in a host files meet the mail?
Tom
On Feb 8, 2014, at 11:30 AM, Paul Ferguson wrote:
> Signed PGP part
> Have you looked at perhaps using DNS RPZ (Response Policy Zones)?
>
> https://dnsrpz.info/
>
> - ferg
>
>
I implemented this easily some time ago due to a situation where product
development was unable or unwilling to disable open resolvers.
i'll post my ruleset then describe it then describe it since it contains
multiple functions.
Chain INPUT (policy ACCEPT 68M packets, 4377M bytes)
pkts b
On Sat, Feb 08, 2014 at 12:34:45AM -0800,
Jonathan Lassoff wrote
a message of 88 lines which said:
> This is going to be tricky to do, as DNS packets don't necessarily
> contain entire query values or FQDNs as complete strings due to
> packet label compression
Apprently, the OP wanted to matc
On Sat, Feb 08, 2014 at 01:38:13PM +0530,
Anurag Bhatia wrote
a message of 54 lines which said:
> but here I am not sure how to create such string out and script them
> for automation.
Use this program:
http://www.bortzmeyer.org/files/generate-netfilter-u32-dns-rule.py
On 02/08/2014 09:40 AM, William Herrin wrote:
> On Sat, Feb 8, 2014 at 3:34 AM, Jonathan Lassoff wrote:
>> This is going to be tricky to do, as DNS packets don't necessarily contain
>> entire query values or FQDNs as complete strings due to packet label
>> compression (remember, original DNS only
On Fri, Feb 07, 2014 at 01:14:09PM -0500, Jared Mauch wrote:
> If you want something that is "cheap" as in you for your home, I can
> recommend this: ~$350 w/ antenna, etc..
>
> http://www.netburnerstore.com/product_p/pk70ex-ntp.htm
>
> You can get the whole thing going quickly. Majdi has also
Hi,
On 07/02/2014 16:20, Praveen Unnikrishnan wrote:
We are an ISP based in UK. We have got an ip block from RIPE
which is 5.250.176.0/20.
There is a geoloc attribute for the inetnum fields, maybe you could
try an set it, just in case someone uses it sometines...
Regards,
S. Vallerot
- Original Message -
> From: "Saku Ytti"
> On (2014-02-06 21:14 -0500), Jay Ashworth wrote:
> > My usual practice is to set up two in house servers, each of which
> > talks to:
> >
> > And then point everyone in house to both of them, assuming they
> > accept multiple server names.
>
> T
- Original Message -
> From: "Jimmy Hess"
> Don't forget poor performance due to high latency, or
> Server X emitting corrupted or inaccurate data
My two internal servers were my two uplink firewalls, and were pretty
thoroughly monitored. Had NTP gone insane, I've had heard about it.
R
Original Message -
> From: "Matthew Huff"
> Working in the financial world, the best practices is to have 4 ntp
> servers (if not using PTP).
>
> 1) You need 3 to determine the correct time (and detect bad tickers)
> 2) If you lose 1 of the 3 above, then you no longer can determine the
- Original Message -
> From: "Roland Dobbins"
> On Feb 8, 2014, at 4:25 AM, Chris Grundemann
> wrote:
>
> > Documenting those various mechanisms which are actually utilized is
> > the key here. =)
>
> Yes, as well as the various limitations and caveats, like the
> wholesale/retail issu
17 matches
Mail list logo
