How to filter ip adresses accesing our resolver.

Kevin Darcy kcd at daimlerchrysler.com
Tue Mar 27 20:04:43 UTC 2001 

Thomas Duterme wrote:

> Sometime near Mon, Mar 26, 2001 at 05:19:23PM -0500, Kevin Darcy wrote:
> >
> > If you really want to lock things down, use allow-query globally to forbid
> > all external queries, and then open up selectively only for the zones that
> > you serve to the public. But even that is not perfect, since a misconfigured
> > stub resolver or forwarding nameserver which is already pointing at your
> > server may just start failing over to some other nameserver so quickly that
> > the user/administrator might never notice enough of a delay to realize there
> > is a problem.
>
> Ok, so I deny recursion selectively, globally deny queries and selectively open up queries for my zones.  Is there any danger of a bad resolver starting to pummel my nameserver for answers if it doesn't have any other fallback server?

I suppose. But at least in that case someone will *notice* that none of their queries are resolving. So the problem should get fixed fairly quickly and should only be a temporary annoyance. If you wanted to play it safe, you could start shutting off queries *gradually*.
You could start with the A-class networks and work your way into the B-class networks, etc. But frankly, I think that would be more trouble than it's worth.

Besides, all of those mega-corporations with Class-A networks couldn't *possibly* have misconfigured resolvers, could they? :-)

> How would this show up in logs?

Depends on what you're logging. If you're logging queries, you'd probably see "spikes" from certain IP addresses. If you're just logging stats, you'd probably only see an overall increase in query volume.

                                                                                                                        - Kevin


>
>
> - Thomas
>
> >
> > Ah, if only blackhole were a zone-level option or I had enough time to code
> > an "answer-bogusly-to" zone-level option...
> >
> > For now, the best thing is to run your external zones on an entirely
> > separate nameserver instance and deny recursion completely (or, more
> > maliciously, configure a root-zone wildcard). Then you have essentially
> > nothing in cache and nobody will benefit from explicitly including your
> > nameserver's address into their configuration (unless of course you've
> > foobar'ed your delegation records, in which case maybe that's the only way
> > they can resolve names in your domain :-).
>

More information about the bind-users mailing list