Bind and blacklist IP file

[Kevin Darcy]

On 10/11/2010 2:44 PM, Nuno Paquete wrote:
>
> Ok, but you can always browse by IP address and in this case there is 
> no DNS server than can stop you from browsing what you want.
> If you want to block IP address access you have to use firewall, or if 
> you are talking about http traffic and have a proxy, maybe you have to 
> block there. That's why I completly agree this should not be blocked 
> at DNS level.
>

To nitpick: address-block-based filtering*could* be implemented in DNS. 
The same mechanisms that are used to prevent "rebinding" attacks -- e.g. 
BIND's *deny-answer-addresses* -- could theoretically be repurposed to 
strip addresses in certain "banned" ranges from DNS responses. Arguably 
this is a misuse/abuse of the feature.

                                                                         
                                                                         
                                                                         
     - Kevin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101011/bb5063a4/attachment.html>