redirecting a single host
Kevin Darcy
kcd at daimlerchrysler.com
Thu Sep 11 21:46:53 UTC 2003
Alex Aved wrote:
> Gentle listers,
> I have been asked by one of our network people the following question: =
> would it be possible to redirect people (people who are using our DNS =
> server on our network) going to windowsupdate.microsoft.com to our own =
> local server? Of course, we'd like queries to anything-else.microsoft.com =
> to be forwarded up the chain of DNS servers & resolved correctly.
> Is this possible? We're running BIND 9.2.2.
Yes, you could define "windowsupdate.microsoft.com" as a separate zone along
all of your resolution paths. How difficult that is to implement, depends
largely on your resolution infrastructure. If you have many servers which all
have the ability to query the Internet for DNS, then you'd have to define this
special zone on all of them; if your resolution paths are consolidated to only
a few forwarders, then you only need to define the zone on _them_.
Probably it would make sense to define the special zone as a master zone on all
of the boxes in order to avoid any zone-transfer overhead, unless you think you
might want to change the contents of the zone, in which case configuring
all-but-one of them as slaves would probably be a better choice.
If there are or will be subzones of windowsupdate.microsoft.com, and you want
names in those subzones to resolve, you'll need to delegate from your
"special" version of windowsupdate.microsoft.com.
If you're doing this because of MSBLASTER or something like it, be aware that
such malware often spoof the source addresses of their DoS attacks
semi-randomly (to something within your network, but not the actual source of
the packet). So if you "redirect" the DoS target to an internal server, you may
find that this causes that internal "honeypot" server to effectively spray
SYN-ACK packets across your network (or RSTs if there is no server listening on
the relevant port). It was for this reason we decided *not* to add bogus
"windowsupdate.com" entries to our internal root zone for MSBLASTER. (In
retrospect, I suppose one could simply null-route the requests, but in our case
we wanted to avoid even the initial SYN packets traversing our WAN links).
- Kevin
More information about the bind-users
mailing list