How do I get named to not log events from certain IPs.

[Taylor, Grant]

On 07/31/06 17:17, Barry Margolin wrote:
> What firewalls allow you to block DNS packets specifically by request 
> type?  They all use the same port numbers.

You should be able to build a firewall based on IPTables base match 
extension u32 
(http://www.netfilter.org/projects/patch-o-matic/pom-base.html#pom-base-u32) 
which will allow you to pull 4 byes out of the packet.  I would think that 
it would be possible to set up a filter that consisted of multiple allow 
rules with a default of fail.  Check to see if the traffic is a query for 
one of your hosted domains.  If the traffic is not for one of your domains 
drop or reject it.  I would recommend that you send an ICMP packet that 
informs the (l)user that they are doing something they should not do.

You could build a series of tests like this:

If double word matches "myfi"rstdomain.tld accept.
If double word matches "myse"conddomain.tld accept.
etc.
Reject packet as it is not allowed.

Or if you want to me more paranoied:

If double word matches "myfi"rstdomain.tld
    If double word matches myfi"rstd"omain.tld
       If double word matches myfirstd"omai"n.tld
          If double word matches myfirstdomai"n.tl"d
             If double word matches myfirstdomain.tl"d"
                Packet completely matches "myfirstdomain.tld" so accept.
If double word matches "myse"conddomain.tld
    If double word matches myse"cond"domain.tld
       If double word matches mysecond"doma"in.tld
          If double word matches myseconddoma"in.t"ld
             If double word matches myseconddomain.t"ld"
                Packet completely matches "myseconddomain.tld" so accept.
etc.
Reject packet as it is not allowed.

I know that this is somewhat convoluted, but it will work.  You could also 
filter based on request type for a given query.

There is always the obvious of using "fgrep" on your log file to remove the 
rejected entries.  :)



Grant. . . .
.