can bind filter the result

Bill Larson wllarso at swcp.com
Mon Apr 20 02:07:35 UTC 2009 

On Apr 19, 2009, at 6:49 PM, JINMEI Tatuya / 神明達哉 wrote:

> At Mon, 20 Apr 2009 08:40:15 +0800,
> Ken Lai <soulhacker511 at gmail.com> wrote:
>
>> for example, a user send a query to my server, and the server  
>> forward this
>> query to a outer dns server. the outer server return a A record to  
>> my server,
>> what i want to do is, my server will not respond to client if i do  
>> not want
>> the client to know this A record.
>
> It's still not very clear...what's the key of the filtering?  The
> query name such as www.isc.org, or the data of the answer (the IPv4
> address in the case of an A RR), or something else?


Ken, I don't think that you are asking a very clear question which  
makes answering it difficult.  You may have assumptions in your  
questions that can't cleanly be answered with a DNS solution.

But, if what you are asking is if there is somehow if someone that  
uses your DNS server asks for "www.xyz.com" and you don't want them to  
access this server then yes there is a possibility of using DNS to  
block this access.  This is a common question that is regularly asked  
and answered on this list.

Create a zone for "www.xyz.com" and give an "A" resource record to  
this name with an address of 127.0.0.1 (or whatever).  Then when  
someone asks your server for an "A" record for "www.xyz.com" then they  
will be given the IP address of 127.0.0.1.  If you want to clobber any  
name in a particular zone, like "xyz.com", then you can create a  
wildcard "A" record pointing to an IP address.  Maybe the IP address  
you want to point to for these purposes is the IP address for a web  
server that simply returns a web page saying "what do you think you  
are doing?"  All of this is regularly answered on this list.  Look  
over the archives.

Now, you will have to do this for every name in your list of  
"blacklisted" machines.  If this list is long, then you will have lots  
of zones to set up.  And, each host that you need to add to this list  
will be another zone to define.  Not difficult, a shell script can do  
most of the work for you, but not trivial either.

Now, two problems are associated with this process.  First, make sure  
that your DNS information doesn't get out to the rest of the Internet,  
you could cause severe problems and people will not like you.  Second,  
DNS isn't an appropriate way to solve this problem anyway.  If your  
uses know the IP address of the server that you are trying to block,  
then they can simply use the IP address directly and they will bypass  
your DNS server.

Also remember that the Internet is used for other purposes than just  
web access, which is what I strongly suspect is your actual goal.  Are  
you sure that you want to block HTTP/web access this way?  This will  
also block mail too!  Be very clear about what you are asking for.

Although this filtering can can be done this way, if you are having to  
ask this question then it indicates a level that implies that you are  
going to have difficultly implementing it.  Find another, better,  
solution.

If you want to "filter' access to the Internet then "filter" the  
network traffic to the Internet.  This means setting up and managing a  
firewall.  This firewall router will simply not forward any traffic to  
the hosts that you have "blacklisted".  A much simpler solution to  
manage.  There are many pre-packaged systems that provide this type of  
capability.

Bill Larson

More information about the bind-users mailing list