How to block part of a zone
Kevin Darcy
kcd at chrysler.com
Tue Sep 16 16:30:04 UTC 2014
You have multiple choices here.
Loopback is sometimes a bad choice, since the client may try to connect
to itself, and in pathological cases this could cause an infinite loop.
You could consider an A record with RDATA 0.0.0.0, the "null" or
"unspecified" address. It is not legal for that ever to be a destination
address for a connection attempt, so it's marginally safer than 127.0.0.1.
For that matter, you don't need to define *any* A (or AAAA) record in
the zone at all. Then any resolution attempts will get a so-called
"NODATA" response (NOERROR, but 0 answers), which the vast majority of
stub resolvers won't be able to distinguish from NXDOMAIN.
- Kevin
On 9/16/2014 12:20 PM, King, Harold Clyde (Hal) wrote:
> I need to block a host in an exterior domain.
>
> Resolve all traffic for example.com from example.com¹s dns servers, but
> stop badhost.example.com.
> I guess I could become authoritative for badhost.example.com and point the
> host to 127.0.0.1.
> Does that sound like bad things would happen?
>
> Zone ³badhost.example.com² {
> type master;
> file ³/etc/named/badhost.example.com.db²;
> }
>
> Badhost.example.com. IN SOA localhost (
> Admin.localhost
> 2014091601
> 3600
> 900
> 860000
> 3600 )
> NS localhost.
> A 127.0.0.1
>
More information about the bind-users
mailing list