Poisoning & error messages question...
Barry Margolin
barmar at alum.mit.edu
Sat Jul 9 00:36:27 UTC 2005
In article <dalvjk$15os$1 at sf1.isc.org>,
Carl Holtje <lists at freeside.dnsalias.org> wrote:
> All-
>
> I'm looking for a way to prevent certain names from being resolved on a
> small home network (host files are too cumbersome to keep synchronized,
> so a network-wide solution is a must). I've currently employed a technique
> by which I pose as the authority of a DNS zone, and query a null zone
> file.
>
> This works, but resolves to a "valid" IP (it does not reference an actual
> system, but DNS doesn't reflect that fact.. so a program will resolve to
> this non-existant address, and then try to contact it). What I'd like is
> for my BIND9 server to reply with something akin to a 'host not found'
> error message, and stop the attempt cold.
>
> Is it possible to do this? I was thinkin' instead of resolving to an
> address, not resolve anything (by removing the A entry).. While this seems
> like it would work, it also seems like a big hack..
Seems just fine to me. For purposes of a client trying to resolve a
name to an address, there's little difference between an NXDOMAIN
response (meaning the name doesn't exist) and a zero-record NOERROR
response (the name exists but has no records of the requested type).
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
More information about the bind-users
mailing list