How do I get named to not log events from certain IPs.
Taylor, Grant
gtaylor at riverviewtech.net
Mon Jul 31 23:49:49 UTC 2006
On 07/31/06 17:17, Barry Margolin wrote:
> What firewalls allow you to block DNS packets specifically by request
> type? They all use the same port numbers.
You should be able to build a firewall based on IPTables base match
extension u32
(http://www.netfilter.org/projects/patch-o-matic/pom-base.html#pom-base-u32)
which will allow you to pull 4 byes out of the packet. I would think that
it would be possible to set up a filter that consisted of multiple allow
rules with a default of fail. Check to see if the traffic is a query for
one of your hosted domains. If the traffic is not for one of your domains
drop or reject it. I would recommend that you send an ICMP packet that
informs the (l)user that they are doing something they should not do.
You could build a series of tests like this:
If double word matches "myfi"rstdomain.tld accept.
If double word matches "myse"conddomain.tld accept.
etc.
Reject packet as it is not allowed.
Or if you want to me more paranoied:
If double word matches "myfi"rstdomain.tld
If double word matches myfi"rstd"omain.tld
If double word matches myfirstd"omai"n.tld
If double word matches myfirstdomai"n.tl"d
If double word matches myfirstdomain.tl"d"
Packet completely matches "myfirstdomain.tld" so accept.
If double word matches "myse"conddomain.tld
If double word matches myse"cond"domain.tld
If double word matches mysecond"doma"in.tld
If double word matches myseconddoma"in.t"ld
If double word matches myseconddomain.t"ld"
Packet completely matches "myseconddomain.tld" so accept.
etc.
Reject packet as it is not allowed.
I know that this is somewhat convoluted, but it will work. You could also
filter based on request type for a given query.
There is always the obvious of using "fgrep" on your log file to remove the
rejected entries. :)
Grant. . . .
.
More information about the bind-users
mailing list