Dropping request packets
Weldon Goree
weldon at weldongoree.com
Wed Apr 21 03:39:12 UTC 2004
Jim Reid wrote:
>Can I have some of whatever it is you've been smoking? :-) BIND[89]
>have a number of mechanisms for dropping packets or refusing access to
>particular clients. The server has access control lists that can be
>applied to zone transfers, dynamic updates, queries, notifies and
>recursive queries. Networks can be blackholed. Name servers can also
>be tagged as bogus so they get ignored. Consult the BIND9 ARM for
>things like the allow-update, allow-transfer, etc clauses; the
>blackhole clause and server{} statement. These hooks are there for a
>reason. Sure, most could also be implemented by a firewall or router.
>But it can also be BIND's "job" to deal with who gets to access the
>name server.
>
>
>
Maybe I misunderstood his question. I thought he was asking if he could
keep a certain IP address from querying his nameserver. allow-notify,
allow-transfer, and allow-update-forwarding don't do that. They set
policies on what hosts can send notifies, transfer zone data, and submit
dynamic updates, respectively.
What BIND configuration do you know of that will prevent, say, someone
at 192.168.1.27 from running nslookup using your nameserver?
>BIND has no way of rate-limiting inbound queries or TCP connections.
>This is something a router or firewall does.
>
>
>
eh?
options
{
tcp-clients 750;
recursive-clients 25;
serial-queries 500;
etc...
}
I don't think I'm imagining those...
Weldon Goree
More information about the bind-users
mailing list