How to filter ip adresses accesing our resolver.

Chris Meadors bind at
Fri Mar 30 16:21:22 UTC 2001

On Mon, 26 Mar 2001, Kevin Darcy wrote:

> If you really want to lock things down, use allow-query globally to forbid
> all external queries, and then open up selectively only for the zones that
> you serve to the public. But even that is not perfect, since a misconfigured
> stub resolver or forwarding nameserver which is already pointing at your
> server may just start failing over to some other nameserver so quickly that
> the user/administrator might never notice enough of a delay to realize there
> is a problem.

It would seem that views (from BIND9) are really what I want, but someone
mentioned that views don't work with includes, and our configuration here
is heavily based on included files.

So I have done what you recommened above.  I created an acl called
"hereintown" of the IPs used on our network.  And put "allow-query {
localhost; hereintown; };" in the global options.  Next I went to every
zone and added "allow-query { any; };".

So now I'm tailing my log file, and watching these:

client query denied

Lines slowly come in.  I was like, cool, it works, so I wanted to see who
the sucker is that was trying to use my name server:

$host domain name pointer

Hotmail?  I've also seen Ebay in there, along with other random ISPs.

So what is Hotmail doing trying to query my name server?

Two penguins were walking on an iceberg.  The first penguin said to the
second, "you look like you are wearing a tuxedo."  The second penguin
said, "I might be..."                         --David Lynch, Twin Peaks

More information about the bind-users mailing list