How to filter ip adresses accesing our resolver.

[Chris Meadors]

On Mon, 26 Mar 2001, Kevin Darcy wrote:

> If you really want to lock things down, use allow-query globally to forbid
> all external queries, and then open up selectively only for the zones that
> you serve to the public. But even that is not perfect, since a misconfigured
> stub resolver or forwarding nameserver which is already pointing at your
> server may just start failing over to some other nameserver so quickly that
> the user/administrator might never notice enough of a delay to realize there
> is a problem.

It would seem that views (from BIND9) are really what I want, but someone
mentioned that views don't work with includes, and our configuration here
is heavily based on included files.

So I have done what you recommened above.  I created an acl called
"hereintown" of the IPs used on our network.  And put "allow-query {
localhost; hereintown; };" in the global options.  Next I went to every
zone and added "allow-query { any; };".

So now I'm tailing my log file, and watching these:

client 216.33.236.166#2357: query denied

Lines slowly come in.  I was like, cool, it works, so I wanted to see who
the sucker is that was trying to use my name server:

$host 216.33.236.166
166.236.33.216.IN-ADDR.ARPA domain name pointer f288.law7.hotmail.com

Hotmail?  I've also seen Ebay in there, along with other random ISPs.

So what is Hotmail doing trying to query my name server?

-Chris
-- 
Two penguins were walking on an iceberg.  The first penguin said to the
second, "you look like you are wearing a tuxedo."  The second penguin
said, "I might be..."                         --David Lynch, Twin Peaks