ALLOW-RECURSION -- Return a default address?

Kevin Darcy kcd at daimlerchrysler.com
Thu Sep 28 22:47:51 UTC 2000 

It's unclear what you're trying to do here. Do you want queries in *any*
domain for which you are not authoritative to return a default address,
or just queries in a *specific* ("C.COM") domain, for which you are not
authoritative?

In either case, you'd have to set up a zone on your box with a wildcard
A record in it, either "C.COM" or a root zone. I'd advise only doing
this on an *internal*, i.e. non-Internet-queriable nameserver. Otherwise
you risk polluting the Internet DNS with bogus and/or stale root-zone or
"C.COM" zone information.

Bear in mind, however, that if you do this, you'll be blinding yourself
to *all* of the real namespace, including records besides A records. MX
records, for instance, will also be blocked. Which could cause real
problems for email connectivity.

By the way, if you're trying to use this to control your users' Internet
access, this is a lousy way to do it. Users can still access the sites
by using IP addresses instead of names, and they can resolve the names
using various websites which offer that as a free service. I think there
may be tools (plugins, perhaps?) that can do all of this on the fly. If
such tools don't exist now, they could shortly, so all you're doing is
buying a little time. Don't rely on Security by Obscurity. The
"proper" way to control access is to block HTTP (and whatever other
protocols may concern you) at a network level to everything except
servers specifically set up to proxy those protocols. Then put your
higher-level access controls on the proxy servers.


- Kevin

dturkel at my-deja.com wrote:

> Does anyone have any insight to this:
>
> I want to be able to provide a default address whenever a query hits
> the local resolver that would require recursion.
>
> As an example:
>   1) Users can only use one DNS Server (assuming access to others has
> been restricted)
>   2) That DNS Server has records for A.COM and B.COM
>   3) If the user requests a record for host.B.COM, the query is
> executed without issue
>   4) If the user requests a record for any host at C.COM the query
> returns some default address (that could be specified in the DNS
> configuration files.
>
> Is there a DNS software configuration that would let me do this, or
> would I actually have to hack BIND code.  If I have to hack the BIND
> code, does anyone have particular knowledge in what modules I should
> look at?
>
> Thanks,
>
> David Turkel
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.

More information about the bind-users mailing list