preventing queries to servers (from my server)
Kevin Darcy
kcd at daimlerchrysler.com
Mon May 2 23:49:06 UTC 2005
markdv.bind at asphyx.net wrote:
>On Fri, 29 Apr 2005, Robert Vangel wrote:
>
>
>>markdv.bind at asphyx.net wrote:
>>
>>
>>>Hi,
>>>
>>>I would like to prevent queries to rcf1918 addresses on a caching
>>>nameserver.
>>>
>>>The server has a public IP to which clients query. But it is also
>>>connected to 'back-end' networks using rcf1918 addresses. I would like to
>>>prevent queries sent over this network when public zones contain ns
>>>records resolving to rfc1918 addresses in ranges I also use.
>>>
>>>I was thinking along the lines:
>>>
>>>server 10.0.0.0/8 {
>>> bogus yes;
>>>};
>>>
>>>but the 'server' statement only allows ip_addr and not ip_prefix... Is
>>>there some other way to achieve the same thing?
>>>
>>>wouldn't it be usefull if 'server' also supported ip_prefix? Or even an
>>>acl?
>>>
>>>Regards,
>>>Mark.
>>>
>>>
>>>
>>>
>>allow-query { localnets; }; ?
>>
>>
>
>No, It's a caching server that receives recursive queries from public IPs.
>
>Let me give an example of what I mean:
>
>The server is queried for A nl-central-sus.bnl.group.cmg.com. At some
>point this leads to:
>
>group.cmg.com. IN NS cmg-amv-dc01.group.cmg.com.
>
>and thanks to some glue somewhere:
>
>cmg-amv-dc01.group.cmg.com. IN A 10.0.59.65
>
>This is obviously broken as it points to their internal network,
>and is unreachable from the internet...
>
>Unfortunately I also use IPs in this range internaly, so my server starts
>to send request to this IP on my internal network. So that's why I would
>like to classify all IPs in this/these range(es) as 'bogus'.
>
If I'm not mistaken, "blackhole" applies to both incoming and outgoing
queries, and accepts prefixes.
- Kevin
More information about the bind-users
mailing list