can bind filter the result
John Wobus
jw354 at cornell.edu
Fri Apr 24 18:20:22 UTC 2009
On Apr 20, 2009, at 2:55 AM, Ken Lai wrote:
> let's take an example. my DNS server called SrvA, the outer DNS server
> called SrvB.
>
> normally, the client sent the query to SrvA, and SrvA forwards it to
> SrvB. and SrvA return a result which came from SrvB to the client.
> unfortunately the SrvB sometimes will return a A record that is a
> advertisement site ip to SrvA. so i dont want to respond to client if
> the returned IP address is the Advertisement site address.
>
> filter the domain name may not be suitable.
>
> thanks.
If I understand correctly, the goal is to avoid answering any queries
for A records
where the answer points at any of a specific list of blacklisted IP
addresses.
As has been said, such filtering does not fit will with bind or any
typical DNS servers. Ideas:
Periodically scan the cache for names pointing at these addresses, and
dynamically create zones?
Run a very clever firewall config in front of the DNS server that
filters out such answers?
Instead of doing something with the DNS, use access lists or custom
routes in your routers to block the addresses?
In any case, if you "succeed" in addressing the problem by providing no
answer,
you may find the solution to be unacceptable because of timeout delays.
More information about the bind-users
mailing list