On Apr 20, 2009, at 2:55 AM, Ken Lai wrote:
let's take an example. my DNS server called SrvA, the outer DNS server
called SrvB.
normally, the client sent the query to SrvA, and SrvA forwards it to
SrvB. and SrvA return a result which came from SrvB to the client.
unfortunately the SrvB sometimes will return a A record that is a
advertisement site ip to SrvA. so i dont want to respond to client if
the returned IP address is the Advertisement site address.
filter the domain name may not be suitable.
thanks.
If I understand correctly, the goal is to avoid answering any queries
for A records
where the answer points at any of a specific list of blacklisted IP
addresses.
As has been said, such filtering does not fit will with bind or any
typical DNS servers. Ideas:
Periodically scan the cache for names pointing at these addresses, and
dynamically create zones?
Run a very clever firewall config in front of the DNS server that
filters out such answers?
Instead of doing something with the DNS, use access lists or custom
routes in your routers to block the addresses?
In any case, if you "succeed" in addressing the problem by providing no
answer,
you may find the solution to be unacceptable because of timeout delays.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
