preventing queries to servers (from my server)
markdv.bind at asphyx.net
markdv.bind at asphyx.net
Fri Apr 29 12:49:02 UTC 2005
On Fri, 29 Apr 2005, Robert Vangel wrote:
> markdv.bind at asphyx.net wrote:
> > Hi,
> >
> > I would like to prevent queries to rcf1918 addresses on a caching
> > nameserver.
> >
> > The server has a public IP to which clients query. But it is also
> > connected to 'back-end' networks using rcf1918 addresses. I would like to
> > prevent queries sent over this network when public zones contain ns
> > records resolving to rfc1918 addresses in ranges I also use.
> >
> > I was thinking along the lines:
> >
> > server 10.0.0.0/8 {
> > bogus yes;
> > };
> >
> > but the 'server' statement only allows ip_addr and not ip_prefix... Is
> > there some other way to achieve the same thing?
> >
> > wouldn't it be usefull if 'server' also supported ip_prefix? Or even an
> > acl?
> >
> > Regards,
> > Mark.
> >
> >
> allow-query { localnets; }; ?
No, It's a caching server that receives recursive queries from public IPs.
Let me give an example of what I mean:
The server is queried for A nl-central-sus.bnl.group.cmg.com. At some
point this leads to:
group.cmg.com. IN NS cmg-amv-dc01.group.cmg.com.
and thanks to some glue somewhere:
cmg-amv-dc01.group.cmg.com. IN A 10.0.59.65
This is obviously broken as it points to their internal network,
and is unreachable from the internet...
Unfortunately I also use IPs in this range internaly, so my server starts
to send request to this IP on my internal network. So that's why I would
like to classify all IPs in this/these range(es) as 'bogus'.
Rgds,
Mark.
More information about the bind-users
mailing list