nanog mailing list archives

Re: DNS Blocking

From: Paul Vixie <vixie () vix com>
Date: 19 Aug 2004 19:03:28 +0000


danm () prime gushi org ("Dan Mahoney, System Admin") writes:

What I was basically asking for was a "silently drop queries for X-domain" 
option.  But one doesn't exist in bind.


take a look at www.as112.net to see what happens to queries for
10.in-addr.arpa and its brothers.  you can easily set up a zone
that will just confuse and make errors for whoever queries it:

        @          SOA  localhost hostmaster.localhost
                   NS   localhost
        localhost  A    127.0.0.1
        *          MX   0 localhost
                   A    127.0.0.1

(the specific name "localhost" is nec'y because glue searches
aren't required to find wildcards.)

if you put a zone like that in place on a server that's receiving
unwanted queries for some zone, they will soon stop, or not.  you
win either way -- the queries stop, or you laugh your ass off.
-- 
Paul Vixie

Current thread:

DNS Blocking Dan Mahoney, System Admin (Aug 19)
- Re: DNS Blocking Paul Vixie (Aug 19)
  - Re: DNS Blocking Dan Mahoney, System Admin (Aug 19)
    - Re: DNS Blocking Duane Wessels (Aug 19)
    - Re: DNS Blocking Paul Vixie (Aug 19)
    - Re: DNS Blocking Mike Lewinski (Aug 19)
    - Re: DNS Blocking Suresh Ramasubramanian (Aug 19)
    - Re: DNS Blocking Paul Vixie (Aug 19)