Bind and blacklist IP file
Kevin Darcy
kcd at chrysler.com
Mon Oct 11 19:09:58 UTC 2010
On 10/11/2010 2:44 PM, Nuno Paquete wrote:
>
> Ok, but you can always browse by IP address and in this case there is
> no DNS server than can stop you from browsing what you want.
> If you want to block IP address access you have to use firewall, or if
> you are talking about http traffic and have a proxy, maybe you have to
> block there. That's why I completly agree this should not be blocked
> at DNS level.
>
To nitpick: address-block-based filtering*could* be implemented in DNS.
The same mechanisms that are used to prevent "rebinding" attacks -- e.g.
BIND's *deny-answer-addresses* -- could theoretically be repurposed to
strip addresses in certain "banned" ranges from DNS responses. Arguably
this is a misuse/abuse of the feature.
- Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101011/bb5063a4/attachment.html>
More information about the bind-users
mailing list