Dropping request packets

Jim Reid jim at rfc1035.com
Tue Apr 20 21:49:08 UTC 2004


>>>>> "Weldon" == Weldon Goree <weldon at weldongoree.com> writes:

    >> Is there a way to configure BIND (doesn't matter which version)
    >> to drop packets or refuse requests coming from a particular
    >> client?

    Weldon> That's not really BIND's "job"; for that matter BIND
    Weldon> doesn't even know what a packet is (think OSI
    Weldon> levels). Refusing or allowing packets for certain
    Weldon> applications (eg, BIND) from certain hosts, however, is
    Weldon> exactly what a firewall does. 

Can I have some of whatever it is you've been smoking? :-) BIND[89]
have a number of mechanisms for dropping packets or refusing access to
particular clients. The server has access control lists that can be
applied to zone transfers, dynamic updates, queries, notifies and
recursive queries. Networks can be blackholed. Name servers can also
be tagged as bogus so they get ignored. Consult the BIND9 ARM for
things like the allow-update, allow-transfer, etc clauses; the
blackhole clause and server{} statement. These hooks are there for a
reason. Sure, most could also be implemented by a firewall or router.
But it can also be BIND's "job" to deal with who gets to access the
name server.

    Weldon> The only real network-specific filter I know of for BIND
    Weldon> is the ability to throttle TCP connections

BIND has no way of rate-limiting inbound queries or TCP connections.
This is something a router or firewall does.


More information about the bind-users mailing list