How to filter ip adresses accesing our resolver.
Chris Meadors
bind at clubneon.com
Fri Mar 30 16:21:22 UTC 2001
On Mon, 26 Mar 2001, Kevin Darcy wrote:
> If you really want to lock things down, use allow-query globally to forbid
> all external queries, and then open up selectively only for the zones that
> you serve to the public. But even that is not perfect, since a misconfigured
> stub resolver or forwarding nameserver which is already pointing at your
> server may just start failing over to some other nameserver so quickly that
> the user/administrator might never notice enough of a delay to realize there
> is a problem.
It would seem that views (from BIND9) are really what I want, but someone
mentioned that views don't work with includes, and our configuration here
is heavily based on included files.
So I have done what you recommened above. I created an acl called
"hereintown" of the IPs used on our network. And put "allow-query {
localhost; hereintown; };" in the global options. Next I went to every
zone and added "allow-query { any; };".
So now I'm tailing my log file, and watching these:
client 216.33.236.166#2357: query denied
Lines slowly come in. I was like, cool, it works, so I wanted to see who
the sucker is that was trying to use my name server:
$host 216.33.236.166
166.236.33.216.IN-ADDR.ARPA domain name pointer f288.law7.hotmail.com
Hotmail? I've also seen Ebay in there, along with other random ISPs.
So what is Hotmail doing trying to query my name server?
-Chris
--
Two penguins were walking on an iceberg. The first penguin said to the
second, "you look like you are wearing a tuxedo." The second penguin
said, "I might be..." --David Lynch, Twin Peaks
More information about the bind-users
mailing list