BIND DNS and RFC 952

Ladislav Vobr lvobr at ies.etisalat.ae
Sat Mar 6 06:10:48 UTC 2004


I think some L4-7 switches (Cisco, Alteon...) can do it, you can create 
a filter on L5 and put regexp for the domain name, and the switch can 
blackhole it.

L4-7 switch is quite complicated device, which might introduced more 
problems into your setup then it might solve itself:-) so it is not 
generally used / recomended in dns, but in some situations it might 
help. ( this is my opinion:-) )

Ladislav

Kevin Darcy wrote:
> J Marquez wrote:
> 
> 
>>Hi folks,
>>
>>Does anyone know how to avoid translate addresses of domains that doesnt match RFC 952 for BIND 8.2.4? (We have Cache DNS's).
>>
>>We dont want our DNS treat the domains that doesnt match the RFC, because we are receiving many queries of domains that finish in "!" or "_" or many other characters that we are sure we dont want to translate and increases the CPU load.
>>
>>So can anybody help us to avoid this?
>> 
>>
> 
> I think what you are asking is: "can we simply ignore, i.e. not answer, 
> queries for non-RFC-952-compliant names?". There is no way to do this in 
> BIND. BIND has a "blackhole" feature, but it's based on client source 
> address, not on name or (as you would need) string-matching or 
> regular-expression-matching against the queried name.
> 
> It would be a pretty pointless feature anyway, since the clients would 
> just retry the queries if you fail to answer them...
> 
>                                                                          
>                                              - Kevin
> 
> 
> 



More information about the bind-users mailing list