On Wed, May 13, 2009 at 2:56 PM, Phillip Partipilo <[email protected]> wrote:
> We may consider blocking webmail services. Don't have an ISA server, but
> have iptables rulesets. I figure I could gather all the popular webmail IP
> addresses and drop them, but I have a hunch that the subset of addresses
> returned in a nslookup for many of the services are a small subset of what
> is in their round-robin list. Any way to get all of themaside from
> probing a bunch of various nameservers all over the net? Tried snagging
> zonefile with dig, get denied.
Zone transfers are a lot different than all the other DNS queries.
(It's practically a different protocol.)
Querying indirectly will yield whatever cache your local resolver
happens to have.
Try something like this:
dig A +short @a.root-servers.net. +trace hotmail.com
That will query for A (address) records, using the short output
format, from the root servers, tracing all the way down to the
authoritative delegated name servers.
To extract just the IP address dotted quads from the result, you
could combine with "awk" from Unix:
dig A +short @a.root-servers.net. +trace hotmail.com | awk '/^A/ {
print $2 }'
(CMD.EXE's quoting is absolutely craptacular, so that may not work
for that shell.)
Note that some systems return different DNS records based on the
load they're experiencing, or the source IP address of the query, or
other factors outside your control. If they're doing that kind of
thing, there's nothing you can do. The above command will only work
for simple round-robin DNS, where all the records are returned every
time, just in a different order.
-- Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~