rfc1918 ns records coming from internet are queried?
ivan jr sy
ivan_jr at yahoo.com
Fri Nov 28 20:01:27 UTC 2008
this might also help..
http://code.google.com/p/google-dnswall
in a nutshell, its like a DNS proxy server, you can use this to forward to BIND. between your clients and your internal BIND servers.
it filters:
- Invalid IP address: an IP address that starts with 0; i.e. 0.x.x.x
- Node-Local IP address: 127.x.x.x
- Link-Local IP address: 169.254.x.x
- Site-Local IP address: 10.x.x.x, 172.x.x.x, 192.168.x.x
- Multicast IP address: 224.x.x.x
""DNSWall is a proof-of-concept (PoC) tool developed by some security researchers from Stanford University as a protection mechanism against DNS rebinding attacks.""
http://securebits.org/blog/blog.php/2008/10/15/dnswall-a-protection-mechanism-against-d
--- On Fri, 11/28/08, David Sparks <dave at ca.sophos.com> wrote:
> From: David Sparks <dave at ca.sophos.com>
> Subject: Re: rfc1918 ns records coming from internet are queried?
> To: "bind-users at isc.org" <bind-users at isc.org>
> Date: Friday, November 28, 2008, 8:29 AM
> Thanks, the suggestion below looks like it might be what
> I'm looking for.
>
> ds
>
> > You can in fact set up the environment I described
> using views. Just
> > have the private view forward to the internet view.
> The following
> > resolving name server will ignore referrals to private
> name servers
> > for outside names; note that it's missing the
> masters list definition
> > named "private-auth-servers", plus the
> options statement, but is
> > otherwise complete.
> >
> > acl "private" {
> > 10/8;
> > 172.16/12;
> > 192.168/16;
> > # does not include 127/8
> > };
> > view "private" {
> > match-clients { private; };
> > # forward unknown names to the internet view:
> > forward only;
> > forwarders { 127.0.0.1; };
> > # stub, slave, or forward zones for the
> private namespace:
> > zone "private.zone" {
> > type stub;
> > masters { private-auth-servers; };
> > file "stub.private.zone";
> > forwarders { }; # disable forwarding
> for stub zones
> > };
> > };
> > view "internet" {
> > server 10/8 { bogus yes; };
> > server 172.16/12 { bogus yes; };
> > server 192.168/16 { bogus yes; };
> > allow-query { 127.0.0.1; };
> > };
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list