No query to root-nameserver for private ips
Leopold Aichinger
tux at example.com
Wed Mar 15 12:13:19 UTC 2006
Am Wed, 15 Mar 2006 10:47:52 +0200 schrieb Stefan Puiu:
>> # dig @127.0.0.1 +trace 10.1.2.3
>> logged in on the internal dns I get the following output:
>
> You have to use 'dig -x' for reverse lookups. With the command line
> you used it will just look for the domain "10.1.2.3" instead of
> 3.2.1.10.in-addr.arpa as it should.
your are right, but this doesnot change anything concerning my problem:
# dig @127.0.0.1 +trace -x 10.11.22.33
gives the following output:
----------------------------------------------------------
; <<>> DiG 9.2.4 <<>> @127.0.0.1 +trace -x 10.11.22.33
;; global options: printcmd
. 483349 IN NS c.root-servers.net.
. 483349 IN NS d.root-servers.net.
< --snipp -->
. 483349 IN NS b.root-servers.net.
;; Received 404 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms
10.in-addr.arpa. 86400 IN NS BLACKHOLE-1.IANA.ORG.
10.in-addr.arpa. 86400 IN NS BLACKHOLE-2.IANA.ORG.
;; Received 102 bytes from 192.33.4.12#53(c.root-servers.net) in 456 ms
10.in-addr.arpa. 604800 IN SOA prisoner.iana.org. hostmaster.root-servers.org. 2002040800 1800 900 604800 604800
;; Received 119 bytes from 192.175.48.6#53(BLACKHOLE-1.IANA.ORG) in 351 ms
------------------------------------------------------------
now my dns contacts the blackhole-servers.
But how can I configure my dns do behave like a blackhole-server for the
private ipaddresses we don't use???
I want to get rid of this useless traffic generated by misconfigured
clients, who make lookups for hosts-addresses we dont use.
For example if a Client starts a programm like retina or langard to
discover our net for used addresses in 192.168.0.0/16 thousand of queries
are generated for ip-addresses which will be answered by root-nameservers,
because my internal dns cannot answer it
(Because of internal reasons I cannot stop pupils to use tools like
that!).
thx, thx for every hint!
leopold aichinger
More information about the bind-users
mailing list