DNS Server
Hi All Im using a BIND 9.3. I have been asked to block the responses from some of the DNS Servers in the internet. Is there any way how can I do that Regards Vivek Aggarwal +973-36583058 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS Server
There are a few approaches you could take, and it depends on what you are trying to do. If you are actually trying to block traffic to a specific server/servers, I'd say use a firewall. If you're running on a linux box, it's pretty easy: http://www.cyberciti.biz/faq/howto-null-route-an-attackers-ip/ Failing that, I believe there is a bind directive (blackhole) that might do what you want, but I've never looked into it. Finally, if you are simply trying to block certain domains, you could load them as master zones on your server and leave them blank. Cheers, Todd. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Agarwal Vivek-RNGB36 Sent: Wednesday, October 07, 2009 8:46 AM To: bind-users@lists.isc.org Subject: DNS Server Hi All Im using a BIND 9.3. I have been asked to block the responses from some of the DNS Servers in the internet. Is there any way how can I do that Regards Vivek Aggarwal +973-36583058 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS Server
Thanks for the response . Iam using Linux box. The issue is the list for blocking the DNS Servers is huge. Do you have much idea on bind directive Can anyone help me in bind directive. I v never used it Thanks Regards Vivek Aggarwal +973-36583058 -Original Message- From: Todd Snyder [mailto:tsny...@rim.com] Sent: Wednesday, October 07, 2009 4:38 PM To: Agarwal Vivek-RNGB36; bind-users@lists.isc.org Subject: RE: DNS Server There are a few approaches you could take, and it depends on what you are trying to do. If you are actually trying to block traffic to a specific server/servers, I'd say use a firewall. If you're running on a linux box, it's pretty easy: http://www.cyberciti.biz/faq/howto-null-route-an-attackers-ip/ Failing that, I believe there is a bind directive (blackhole) that might do what you want, but I've never looked into it. Finally, if you are simply trying to block certain domains, you could load them as master zones on your server and leave them blank. Cheers, Todd. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Agarwal Vivek-RNGB36 Sent: Wednesday, October 07, 2009 8:46 AM To: bind-users@lists.isc.org Subject: DNS Server Hi All Im using a BIND 9.3. I have been asked to block the responses from some of the DNS Servers in the internet. Is there any way how can I do that Regards Vivek Aggarwal +973-36583058 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Server
Agarwal Vivek-RNGB36 a écrit :
Thanks for the response . Iam using Linux box. The issue is the list for
blocking the DNS Servers is huge. Do you have much idea on bind directive
Can anyone help me in bind directive. I v never used it
There is an example here[0], "7.1 Access Control Lists" :
// Set up an ACL named "bogusnets" that will block RFC1918 space,
// which is commonly used in spoofing attacks.
acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
224.0.0.0/3; 10.0.0.0/8; // Set up an ACL called our-nets. Replace this
with the real IP numbers.
acl our-nets { x.x.x.x/24; x.x.x.x/21; };
options {
...
...
allow-query { our-nets; };
allow-recursion { our-nets; };
...
blackhole { bogusnets; };
...
};
zone "example.com" {
type master;
file "m/example.com";
allow-query { any; };
};
[0] : https://www.isc.org/files/Bv9.3ARM.pdf
Thanks
Regards
Vivek Aggarwal
+973-36583058
-Original Message-
From: Todd Snyder [mailto:tsny...@rim.com]
Sent: Wednesday, October 07, 2009 4:38 PM
To: Agarwal Vivek-RNGB36; bind-users@lists.isc.org
Subject: RE: DNS Server
There are a few approaches you could take, and it depends on what you are
trying to do.
If you are actually trying to block traffic to a specific server/servers, I'd
say use a firewall. If you're running on a linux box, it's pretty easy:
http://www.cyberciti.biz/faq/howto-null-route-an-attackers-ip/
Failing that, I believe there is a bind directive (blackhole) that might do
what you want, but I've never looked into it.
Finally, if you are simply trying to block certain domains, you could load them
as master zones on your server and leave them blank.
Cheers,
Todd.
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Agarwal Vivek-RNGB36
Sent: Wednesday, October 07, 2009 8:46 AM
To: bind-users@lists.isc.org
Subject: DNS Server
Hi All
Im using a BIND 9.3. I have been asked to block the responses from some of the
DNS Servers in the internet. Is there any way how can I do that
Regards
Vivek Aggarwal
+973-36583058
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-
This transmission (including any attachments) may contain confidential
information, privileged material (including material protected by the
solicitor-client or other applicable privileges), or constitute non-public
information. Any use of this information by anyone other than the intended
recipient is prohibited. If you have received this transmission in error,
please immediately reply to the sender and delete this information from your
system. Use, dissemination, distribution, or reproduction of this transmission
by unintended recipients is not authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
La Poste\DISIT\ETU\IQI\INGS
Post-scriptum La Poste
Ce message est confidentiel. Sous réserve de tout accord conclu par
écrit entre vous et La Poste, son contenu ne représente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, même partielle, doit être autorisée préalablement. Si vous
n'êtes pas destinataire de ce message, merci d'en avertir immédiatement
l'expéditeur.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS Server
Thanks Yohann
Regards
Vivek Aggarwal
+973-36583058
-Original Message-
From: Yohann LEPAGE [mailto:yohann.lep...@laposte.fr]
Sent: Wednesday, October 07, 2009 4:52 PM
To: Agarwal Vivek-RNGB36
Cc: bind-users@lists.isc.org
Subject: Re: DNS Server
Agarwal Vivek-RNGB36 a écrit :
> Thanks for the response . Iam using Linux box. The issue is the list
> for blocking the DNS Servers is huge. Do you have much idea on bind
> directive
>
> Can anyone help me in bind directive. I v never used it
There is an example here[0], "7.1 Access Control Lists" :
// Set up an ACL named "bogusnets" that will block RFC1918 space, // which is
commonly used in spoofing attacks.
acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
10.0.0.0/8; // Set up an ACL called our-nets. Replace this with the real IP
numbers.
acl our-nets { x.x.x.x/24; x.x.x.x/21; }; options { ...
...
allow-query { our-nets; };
allow-recursion { our-nets; };
...
blackhole { bogusnets; };
...
};
zone "example.com" {
type master;
file "m/example.com";
allow-query { any; };
};
[0] : https://www.isc.org/files/Bv9.3ARM.pdf
> Thanks
>
> Regards
> Vivek Aggarwal
> +973-36583058
>
>
>
> -Original Message-
> From: Todd Snyder [mailto:tsny...@rim.com]
> Sent: Wednesday, October 07, 2009 4:38 PM
> To: Agarwal Vivek-RNGB36; bind-users@lists.isc.org
> Subject: RE: DNS Server
>
> There are a few approaches you could take, and it depends on what you are
> trying to do.
>
> If you are actually trying to block traffic to a specific server/servers, I'd
> say use a firewall. If you're running on a linux box, it's pretty easy:
>
> http://www.cyberciti.biz/faq/howto-null-route-an-attackers-ip/
>
> Failing that, I believe there is a bind directive (blackhole) that might do
> what you want, but I've never looked into it.
>
> Finally, if you are simply trying to block certain domains, you could load
> them as master zones on your server and leave them blank.
>
> Cheers,
>
> Todd.
>
>
>
> -Original Message-
> From: bind-users-boun...@lists.isc.org
> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Agarwal
> Vivek-RNGB36
> Sent: Wednesday, October 07, 2009 8:46 AM
> To: bind-users@lists.isc.org
> Subject: DNS Server
>
> Hi All
>
> Im using a BIND 9.3. I have been asked to block the responses from
> some of the DNS Servers in the internet. Is there any way how can I do
> that
>
> Regards
> Vivek Aggarwal
> +973-36583058
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
> -
> This transmission (including any attachments) may contain confidential
> information, privileged material (including material protected by the
> solicitor-client or other applicable privileges), or constitute non-public
> information. Any use of this information by anyone other than the intended
> recipient is prohibited. If you have received this transmission in error,
> please immediately reply to the sender and delete this information from your
> system. Use, dissemination, distribution, or reproduction of this
> transmission by unintended recipients is not authorized and may be unlawful.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
La Poste\DISIT\ETU\IQI\INGS
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Server
Agarwal Vivek-RNGB36 wrote:
Hi All
Im using a BIND 9.3. I have been asked to block the responses from some of the
DNS Servers in the internet. Is there any way how can I do that
It's not clear what you're trying to do. Block *responses*? So, you're
going to send these nameservers queries, but you don't want to see the
responses (?) Why send them queries in the first place then? It would
just be wasted traffic. Arguably, you might even be guilty of a Denial
of Service attack.
If you want to prevent sending queries to specific nameservers, then the
only way I know of to accomplish that within BIND is with individual
"server" statements, specifying "bogus":
server a.b.c.d {
bogus yes;
};
Alternatively, you could do this outside of BIND, using a firewall or
similar device, specifically dropping outgoing packets to those
destinations with the QR (Query Response) bit clear, or incoming packets
from those sources with QR set to 1. This would focus the drops on query
transactions initiated by your nameserver to those other "prohibited"
nameservers.
If you want to block the ability of those nameservers to query *you*,
then some of the other suggestions in this thread apply, e.g. null
route, blackhole, allow-query, etc. Note that "blackhole" (and I suppose
null-routing as well) affects both incoming and outgoing transactions,
but can lead to undesirable behavior if the other side simply keeps
timing out and retrying its queries. allow-query gives an unambiguous
REFUSED response and is more likely to shut the other side up. But
allow-query doesn't apply to outgoing queries, so you need to clarify
exactly what it is that you're trying to accomplish.
Another option I'd consider for incoming queries is to set up a special
view for the "prohibited" nameservers. You could then put anything you
wanted in that view, e.g. an empty root zone, a wildcard pointing to
some static web page, etc. But, again, it all depends on what you're
trying to do...
- Kevin
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
