How do I get named to not log events from certain IPs.
Barry Margolin
barmar at alum.mit.edu
Tue Aug 1 12:46:36 UTC 2006
In article <eam3qu$6sv$1 at sf1.isc.org>,
Doug Barton <dougb at dougbarton.us> wrote:
> Barry Margolin wrote:
> > In article <ealn4m$1s5l$1 at sf1.isc.org>,
> > Doug Barton <dougb at dougbarton.us> wrote:
> >
> >> aarontheyoung at gmail.com wrote:
> >>> Hello,
> >>>
> >>> I have been successful running named on debian for quite some time and
> >>> have recently adjusted my config to only respond for the domains we are
> >>> authoritative for. Now, I am
> >>> getting TONS of hits to our name servers EVEN THOUGH they continue to
> >>> be denied the same dumb boneheads keep trying to update and query our
> >>> name server for hosts that we don't manage.
> >> Welcome to the wonderful world of DNS administration. :)
> >>
> >>> My hourly log reports are now pretty tough to go through with this
> >>> extra "denied" entries all over the place. Is there a way to configure
> >>> named to NOT log activity from certain IP addresses?
> >> You are better off blocking this sort of stuff with a firewall.
> >
> > What firewalls allow you to block DNS packets specifically by request
> > type? They all use the same port numbers.
>
> Well, perhaps I read that through the filter of my own experience, but I was
> under the impression that all of the traffic was unwanted, and that there
> was no reason for those remote servers to query the OP's servers at all. If
> I'm wrong about that, you're right, it's a much harder problem.
He said "only respond for the domains we are authoritative for", which
implies that it's the public-facing server that his domains are
delegated to. So they have to respond to everyone. Although this
normally only requires responding to everyone's caching server --
queries usually don't come directly from end-user systems (unless
they're running a personal caching server), so it probably *would* be OK
to simply block DNS coming from those IPs. If they're running DHCP and
trying to register themselves in his DNS, they're probably not running
their own caching servers.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list