Blocking access

Kevin Darcy kcd at daimlerchrysler.com
Wed Jun 7 22:52:40 UTC 2006 

The problem is you didn't state your original question very clearly. 
"block access to a.b.c.d server at DNS level" could, among other 
interpretations, mean

a) create an "override" in your nameserver's DNS namespace, such that clients trying to resolve a.b.c.d will get different data than would what would be returned as the result of "normal" name resolution, or no useful information at all (the concealment or misdirection that this effects then in a vague sense serves to "block" your clients' access to the site or resource at a.b.c.d), or

b) prevent your nameserver(s) from accessing the nameserver at address a.b.c.d

Apparently Lou Goddard gave your question the (b) interpretation, and answered it adequately (although I would add to his response that defining the address as "bogus" is a slightly more generous approach than "blackhole", since it still allows queries from the address to be responded to). At least one other poster (myself) gave your question the (a) interpretation, and answered as best we could. So now you have two sets of answers to your question, along with a mild rebuke for being so ambiguous in the first place.

							- Kevin


sam wrote:
> Lou Goddard wrote:
>   
>> Check out black hole in named.conf
>>
>> Taken from the Bind ARM:
>> "blackhole Specifies a list of addresses that the server will not accept queries from or use to resolve a query. Queries from these addresses will not be responded to. The default is none."
>>
>> For more information see the BIND Administrator's Reference Manual ( Bind ARM )
>>
>> http://www.isc.org/index.pl?/sw/bind/bind9.2.php
>>
>>     
>
> Hi,
> I added an acl and use blackhole in the option clause, but after 
> reloaded named.conf file with ndc reload command, nslookup still able to 
>   show its IPs.
>
>
> acl "google_desktops" {
>          72.14.219.99;
>          72.14.219.104;
>          72.14.219.147;
> };
>
> options {
>          directory "/etc/namedb";
>          pid-file "/var/run/named/pid";
>
>          blackhole {
>                  // Deny anything from the google_desktops networks as
>                  // detailed in the "google_desktops" ACL.
>                  google_desktops;
>          };
>
>          forwarders {
>                   10.0.0.8;
>          10.0.0.9;
>          10.0.0.10;
>          };
> ....
> };
>
> # ping outbound_sac.enable.desktop.google.com
> ping: cannot resolve outbound_sac.enable.desktop.google.com: Unknown 
> server error
> # nslookup outbound_sac.enable.desktop.google.com
> Server:  localhost
> Address:  127.0.0.1
>
> Non-authoritative answer:
> Name:    desktopservices.l.google.com
> Addresses:  72.14.219.104, 72.14.219.147, 72.14.219.99
> Aliases:  outbound_sac.enable.desktop.google.com
>
> Any idea?
>
> S
>   
>> -----Original Message-----
>> From: bind-users-bounce at isc.org on behalf of sam
>> Sent: Tue 6/6/2006 6:39 PM
>> To: comp-protocols-dns-bind at isc.org
>> Subject: Blocking access
>>  
>> Hi,
>>
>> Does anyone know how to block access to a.b.c.d server at DNS level?
>>
>> Thanks
>> S
>>
>>
>>
>>
>>
>>
>>     
>
>
>
>
>
>

More information about the bind-users mailing list