can bind filter the result
Bill Larson
wllarso at swcp.com
Mon Apr 20 02:07:35 UTC 2009
On Apr 19, 2009, at 6:49 PM, JINMEI Tatuya / 神明達哉 wrote:
> At Mon, 20 Apr 2009 08:40:15 +0800,
> Ken Lai <soulhacker511 at gmail.com> wrote:
>
>> for example, a user send a query to my server, and the server
>> forward this
>> query to a outer dns server. the outer server return a A record to
>> my server,
>> what i want to do is, my server will not respond to client if i do
>> not want
>> the client to know this A record.
>
> It's still not very clear...what's the key of the filtering? The
> query name such as www.isc.org, or the data of the answer (the IPv4
> address in the case of an A RR), or something else?
Ken, I don't think that you are asking a very clear question which
makes answering it difficult. You may have assumptions in your
questions that can't cleanly be answered with a DNS solution.
But, if what you are asking is if there is somehow if someone that
uses your DNS server asks for "www.xyz.com" and you don't want them to
access this server then yes there is a possibility of using DNS to
block this access. This is a common question that is regularly asked
and answered on this list.
Create a zone for "www.xyz.com" and give an "A" resource record to
this name with an address of 127.0.0.1 (or whatever). Then when
someone asks your server for an "A" record for "www.xyz.com" then they
will be given the IP address of 127.0.0.1. If you want to clobber any
name in a particular zone, like "xyz.com", then you can create a
wildcard "A" record pointing to an IP address. Maybe the IP address
you want to point to for these purposes is the IP address for a web
server that simply returns a web page saying "what do you think you
are doing?" All of this is regularly answered on this list. Look
over the archives.
Now, you will have to do this for every name in your list of
"blacklisted" machines. If this list is long, then you will have lots
of zones to set up. And, each host that you need to add to this list
will be another zone to define. Not difficult, a shell script can do
most of the work for you, but not trivial either.
Now, two problems are associated with this process. First, make sure
that your DNS information doesn't get out to the rest of the Internet,
you could cause severe problems and people will not like you. Second,
DNS isn't an appropriate way to solve this problem anyway. If your
uses know the IP address of the server that you are trying to block,
then they can simply use the IP address directly and they will bypass
your DNS server.
Also remember that the Internet is used for other purposes than just
web access, which is what I strongly suspect is your actual goal. Are
you sure that you want to block HTTP/web access this way? This will
also block mail too! Be very clear about what you are asking for.
Although this filtering can can be done this way, if you are having to
ask this question then it indicates a level that implies that you are
going to have difficultly implementing it. Find another, better,
solution.
If you want to "filter' access to the Internet then "filter" the
network traffic to the Internet. This means setting up and managing a
firewall. This firewall router will simply not forward any traffic to
the hosts that you have "blacklisted". A much simpler solution to
manage. There are many pre-packaged systems that provide this type of
capability.
Bill Larson
More information about the bind-users
mailing list