Adding records to a domain I don't control for anyone who uses my nameserver
Matthew Huff
mhuff at ox.com
Mon Mar 2 18:07:36 UTC 2009
Unfortunately this is common in the financial services realm. Compliance requires us to archive all IM messages from google, aol, msn, and yahoo. Blocking it with acls doesn't work since the IM clients will resort to http and are pretty clever about hiding it. Blocking IP addresses doesn't work since they change frequently. Spoofing the dns zones are the only solution. The IM archive server companies usually provide email updates when some of the zones changes.
----
Matthew Huff | One Manhattanville Rd
OTA Management LLC | Purchase, NY 10577
http://www.ox.com | Phone: 914-460-4039
aim: matthewbhuff | Fax: 914-460-4139
-----Original Message-----
From: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Sam Wilson
Sent: Monday, March 02, 2009 12:56 PM
To: comp-protocols-dns-bind at isc.org
Subject: Re: Adding records to a domain I don't control for anyone who uses my nameserver
In article <goadgr$2au5$1 at sf1.isc.org>,
Barry Margolin <barmar at alum.mit.edu> wrote:
> In article <go6pea$2rua$1 at sf1.isc.org>,
> Brandon Dimcheff <bdimchef at wieldim.com> wrote:
>
> > Hello,
> >
> > I'm trying to configure BIND to add some records to a domain that I
> > don't control, so that anybody who uses my nameserver will have the
> > additional records. Specifically, I'm trying to add xmpp SRV records
> > so our jabber infrastructure that uses our nameserver can contact a
> > handful of domains properly. All other records for the domain should
> > work as defined by their authoritative server.
> >
> > Example:
> >
> > dig @127.0.0.1 SRV _xmpp_client._tcp.example.com. should return my SRV
> > record hosted by my server
> > dig @127.0.0.1 A example.com should return example.com's A record by
> > recursive lookup
> >
> > Does anybody have any suggestions? I've tried a few different things,
> > but none of them seem to have worked.
>
> I don't think you can do this with BIND. Its database is organized by
> names, not types. If a server is authoritative for a name, it will
> never recurse for that name.
He could create a local zone for the domain
_xmpp_client._tcp.example.com containing only the SRV record (plus the
necessary SOA and NS records). That way any lookups for *.example.com
and *._tcp.example.com would get directed to the real example.com
servers. It's a horrible thing to do, though, to claim authority for
someone else's address space. What happens when example.com sets up its
own _xmpp_client._tcp.example.com with different data in it? Who debugs
that?
Sam
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list