Find all host A records in loadsharing
Dirk-Willem van Gulik
dirkx at webweaving.org
Sun Jun 27 17:03:57 UTC 2004
On Thu, 17 Jun 2004, AnyBody43 wrote:
> I need to configure a firewall to pass traffic from our internal
> network to certain internet host (for example to allow ftp to
> ftp.hp.com) but many do diabolical load sharing/
Unless you use something like an ftp-proxy you are propably fighting an
loosing battle keeping up adding the various IP's and following the
changes in the Content Delivery Network (CND) used.
However if filtering strictly on ftp.hp.com is still crucial to you - the
way I've dealt with that is by using an apache proxy; as that is one
of the few consenting ways a middle man can get access to the name rather
than the IP use (reverse DNS is no use- the CND's are opaque).
Essentially block all ftp/http on site and institute a 'must use proxy'
policy. Then install a proxy (apache or squid will do - the later if
caching is important to you). Then on the proxy institute filtering by
name; and thus staying close to a ftp.hp.com filter.
DO be very careful about the search path and order in resolv.conf; i.e.
depending on your setup your system may lookup both ftp.hp.com. -and- just
before that ftp.hp.com.localsitename.com. - allowing certain types of
bypassing.
Dw
More information about the bind-users
mailing list