How to filter ip adresses accesing our resolver.
Kevin Darcy
kcd at daimlerchrysler.com
Fri Mar 30 19:10:33 UTC 2001
Chris Meadors wrote:
> On Mon, 26 Mar 2001, Kevin Darcy wrote:
>
> > If you really want to lock things down, use allow-query globally to forbid
> > all external queries, and then open up selectively only for the zones that
> > you serve to the public. But even that is not perfect, since a misconfigured
> > stub resolver or forwarding nameserver which is already pointing at your
> > server may just start failing over to some other nameserver so quickly that
> > the user/administrator might never notice enough of a delay to realize there
> > is a problem.
>
> It would seem that views (from BIND9) are really what I want, but someone
> mentioned that views don't work with includes, and our configuration here
> is heavily based on included files.
I think the only restriction is that you can't have an "include" statement inside
a "view". But include's which are outside views, or zonefile $INCLUDE's, should
work just fine with views.
> So I have done what you recommened above. I created an acl called
> "hereintown" of the IPs used on our network. And put "allow-query {
> localhost; hereintown; };" in the global options. Next I went to every
> zone and added "allow-query { any; };".
>
> So now I'm tailing my log file, and watching these:
>
> client 216.33.236.166#2357: query denied
>
> Lines slowly come in. I was like, cool, it works, so I wanted to see who
> the sucker is that was trying to use my name server:
>
> $host 216.33.236.166
> 166.236.33.216.IN-ADDR.ARPA domain name pointer f288.law7.hotmail.com
>
> Hotmail? I've also seen Ebay in there, along with other random ISPs.
>
> So what is Hotmail doing trying to query my name server?
Are you sure someone hasn't delegated a domain to your nameservers without
permission?
Also, if you lift the query restriction for a while, and turn on query logging,
you'll be able to see what these folks are querying and whether the query is
recursive or not. That might help you determine why you're getting queries from
them.
- Kevin
More information about the bind-users
mailing list