DNS Sinkhole in BIND
Lightner, Jeff
JLightner at water.com
Mon Oct 17 13:39:06 UTC 2011
For some reason those rules wrapped to one line on the bounce back - each rule starts with the -A and ends with the DROP.
-----Original Message-----
From: bind-users-bounces+jlightner=water.com at lists.isc.org [mailto:bind-users-bounces+jlightner=water.com at lists.isc.org] On Behalf Of Lightner, Jeff
Sent: Monday, October 17, 2011 9:29 AM
To: TCPWave Customer Care; babu dheen
Cc: bind-users at lists.isc.org
Subject: RE: DNS Sinkhole in BIND
While setting up blackholes in BIND works fine when I did this on Linux I found that setting up iptables to do drops for known bad IPs/ranges was slightly better as the traffic never gets to BIND in the first place as it is stopped at kernel level. It simply DROPs the packet without telling the bad guys why packets didn't go through.
Example rules for various IPs that have annoyed me in the past:
-A RH-Firewall-1-INPUT -s 68.222.240.22 -j DROP
-A RH-Firewall-1-INPUT -s 203.142.82.222 -j DROP
-A RH-Firewall-1-INPUT -s 217.54.97.137 -j DROP
-A RH-Firewall-1-INPUT -s 217.219.20.226 -j DROP
-A RH-Firewall-1-INPUT -s 218.212.248.7 -j DROP
Of course you can do ranges as well in iptables.
Also you should be sure that you're restricting things like recursion and cache to trusted environments (i.e. internal lookups) while still allowing lookups for domains you're authoritative for to the outside.
-----Original Message-----
From: bind-users-bounces+jlightner=water.com at lists.isc.org [mailto:bind-users-bounces+jlightner=water.com at lists.isc.org] On Behalf Of TCPWave Customer Care
Sent: Sunday, October 16, 2011 7:43 PM
To: babu dheen
Cc: bind-users at lists.isc.org
Subject: Re: DNS Sinkhole in BIND
Babu
The following example defines two access control lists and uses an
options statement to define how they are treated by the nameserver:
acl black-hats { 10.0.2.0/24; 192.168.0.0/24; };
acl red-hats { 10.0.1.0/24; };
options {
blackhole { black-hats; };
allow-query { red-hats; };
allow-recursion { red-hats; };
}
This example contains two access control lists, black-hats and red-hats.
Hosts in the black-hats list are denied access to the nameserver, while
hosts in the red-hats list are given normal access.
Regards
TCPWave Customer Care
On Sun, 2011-10-16 at 23:30 +0530, babu dheen wrote:
> Hi,
>
> Can anyone help me how to setup DNS Sinkhole in BIND on Linux 32 bit
> edition.
>
> Regards
> babu
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer
---------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list