Re: can bind filter the result
On Apr 20, 2009, at 2:55 AM, Ken Lai wrote: let's take an example. my DNS server called SrvA, the outer DNS server called SrvB. normally, the client sent the query to SrvA, and SrvA forwards it to SrvB. and SrvA return a result which came from SrvB to the client. unfortunately the SrvB sometimes will return a A record that is a advertisement site ip to SrvA. so i dont want to respond to client if the returned IP address is the Advertisement site address. filter the domain name may not be suitable. thanks. If I understand correctly, the goal is to avoid answering any queries for A records where the answer points at any of a specific list of blacklisted IP addresses. As has been said, such filtering does not fit will with bind or any typical DNS servers. Ideas: Periodically scan the cache for names pointing at these addresses, and dynamically create zones? Run a very clever firewall config in front of the DNS server that filters out such answers? Instead of doing something with the DNS, use access lists or custom routes in your routers to block the addresses? In any case, if you "succeed" in addressing the problem by providing no answer, you may find the solution to be unacceptable because of timeout delays. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can bind filter the result
On Apr 19, 2009, at 11:55 PM, Ken Lai wrote: let's take an example. my DNS server called SrvA, the outer DNS server called SrvB. normally, the client sent the query to SrvA, and SrvA forwards it to SrvB. and SrvA return a result which came from SrvB to the client. unfortunately the SrvB sometimes will return a A record that is a advertisement site ip to SrvA. so i dont want to respond to client if the returned IP address is the Advertisement site address. filter the domain name may not be suitable. You're better off setting up an HTTP proxy that will filter out the bad requests. If you can't filter it by domain name, then DNS-based filtering is not the answer. Chris Buxton Professional Services Men & Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can bind filter the result
At Mon, 20 Apr 2009 14:55:56 +0800, Ken Lai wrote: > let's take an example. my DNS server called SrvA, the outer DNS server > called SrvB. > > normally, the client sent the query to SrvA, and SrvA forwards it to > SrvB. and SrvA return a result which came from SrvB to the client. > unfortunately the SrvB sometimes will return a A record that is a > advertisement site ip to SrvA. so i dont want to respond to client if > the returned IP address is the Advertisement site address. > > filter the domain name may not be suitable. As already pointed out in this list, if this is specific to the real recursive server (= SrvB), you probably rather want to reconsider the use of it in the first place. If this is not specific to that single server (= SrvB), I doubt filtering based on the IP addresses of A RRs of responses will be very effective because there are many such addresses, some of which may even be changing rapidly. Regarding the specific question about resource data (e.g. IP address) based filtering: no, BIND9 currently doesn't provide such filtering. However, we're now reviewing a kind of such filtering based on contributed patch (for different purposes than that you described), and it *may* be included in BIND 9.7. Even so, I suspect the new filtering feature is not something you want for your purpose as described above. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can bind filter the result
On 4/20/2009 2:55 AM, Ken Lai wrote: normally, the client sent the query to SrvA, and SrvA forwards it to SrvB. and SrvA return a result which came from SrvB to the client. unfortunately the SrvB sometimes will return a A record that is a advertisement site ip to SrvA. so i dont want to respond to client if the returned IP address is the Advertisement site address. It sounds like SrvB is intentionally badly broken. From your description, at best it's returning advertising sites for non-existing domains, at worst it just returns ad sites at random for any query. You'd probably be better off just resolving the addresses yourself (on SrvA) rather than forwarding your requests upstream. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can bind filter the result
2009/4/20 JINMEI Tatuya / 神明達哉 : > At Mon, 20 Apr 2009 08:40:15 +0800, > Ken Lai wrote: > >> for example, a user send a query to my server, and the server forward this >> query to a outer dns server. the outer server return a A record to my server, >> what i want to do is, my server will not respond to client if i do not want >> the client to know this A record. > > It's still not very clear...what's the key of the filtering? The > query name such as www.isc.org, or the data of the answer (the IPv4 > address in the case of an A RR), or something else? > > --- > JINMEI, Tatuya > Internet Systems Consortium, Inc. > let's take an example. my DNS server called SrvA, the outer DNS server called SrvB. normally, the client sent the query to SrvA, and SrvA forwards it to SrvB. and SrvA return a result which came from SrvB to the client. unfortunately the SrvB sometimes will return a A record that is a advertisement site ip to SrvA. so i dont want to respond to client if the returned IP address is the Advertisement site address. filter the domain name may not be suitable. thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can bind filter the result
In article , JINMEI Tatuya / e_naeiBc? wrote: > At Mon, 20 Apr 2009 08:40:15 +0800, > Ken Lai wrote: > > > for example, a user send a query to my server, and the server forward this > > query to a outer dns server. the outer server return a A record to my > > server, > > what i want to do is, my server will not respond to client if i do not want > > the client to know this A record. > > It's still not very clear...what's the key of the filtering? The > query name such as www.isc.org, or the data of the answer (the IPv4 > address in the case of an A RR), or something else? If it's based on the name, I suppose he could set up a forward zone for each filtered hostname that forwards to a fake root server that returns NXDOMAIN for everything except the root. zone "www.isc.org" { type forward; forwarders { ; }; }; -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can bind filter the result
On Apr 19, 2009, at 6:49 PM, JINMEI Tatuya / 神明達哉 wrote: At Mon, 20 Apr 2009 08:40:15 +0800, Ken Lai wrote: for example, a user send a query to my server, and the server forward this query to a outer dns server. the outer server return a A record to my server, what i want to do is, my server will not respond to client if i do not want the client to know this A record. It's still not very clear...what's the key of the filtering? The query name such as www.isc.org, or the data of the answer (the IPv4 address in the case of an A RR), or something else? Ken, I don't think that you are asking a very clear question which makes answering it difficult. You may have assumptions in your questions that can't cleanly be answered with a DNS solution. But, if what you are asking is if there is somehow if someone that uses your DNS server asks for "www.xyz.com" and you don't want them to access this server then yes there is a possibility of using DNS to block this access. This is a common question that is regularly asked and answered on this list. Create a zone for "www.xyz.com" and give an "A" resource record to this name with an address of 127.0.0.1 (or whatever). Then when someone asks your server for an "A" record for "www.xyz.com" then they will be given the IP address of 127.0.0.1. If you want to clobber any name in a particular zone, like "xyz.com", then you can create a wildcard "A" record pointing to an IP address. Maybe the IP address you want to point to for these purposes is the IP address for a web server that simply returns a web page saying "what do you think you are doing?" All of this is regularly answered on this list. Look over the archives. Now, you will have to do this for every name in your list of "blacklisted" machines. If this list is long, then you will have lots of zones to set up. And, each host that you need to add to this list will be another zone to define. Not difficult, a shell script can do most of the work for you, but not trivial either. Now, two problems are associated with this process. First, make sure that your DNS information doesn't get out to the rest of the Internet, you could cause severe problems and people will not like you. Second, DNS isn't an appropriate way to solve this problem anyway. If your uses know the IP address of the server that you are trying to block, then they can simply use the IP address directly and they will bypass your DNS server. Also remember that the Internet is used for other purposes than just web access, which is what I strongly suspect is your actual goal. Are you sure that you want to block HTTP/web access this way? This will also block mail too! Be very clear about what you are asking for. Although this filtering can can be done this way, if you are having to ask this question then it indicates a level that implies that you are going to have difficultly implementing it. Find another, better, solution. If you want to "filter' access to the Internet then "filter" the network traffic to the Internet. This means setting up and managing a firewall. This firewall router will simply not forward any traffic to the hosts that you have "blacklisted". A much simpler solution to manage. There are many pre-packaged systems that provide this type of capability. Bill Larson ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can bind filter the result
At Mon, 20 Apr 2009 08:40:15 +0800, Ken Lai wrote: > for example, a user send a query to my server, and the server forward this > query to a outer dns server. the outer server return a A record to my server, > what i want to do is, my server will not respond to client if i do not want > the client to know this A record. It's still not very clear...what's the key of the filtering? The query name such as www.isc.org, or the data of the answer (the IPv4 address in the case of an A RR), or something else? --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can bind filter the result
On Monday 20 April 2009 05:45:27 you wrote: > At Sun, 19 Apr 2009 12:37:30 +0800, > > Ken Lai wrote: > > hi, i recently setup a DNS server used bind in Centos. > > > > as I've set the server just forward the query to a public DNS server, my > > boss told me to filter some result that not to return. it means this > > server forward the query and get the result, if the result is in the > > blacklist, the server will not respond or something to the client. > > Can you be more specific about "the result is in the blacklist"? A > specific example would be helpful. > > --- > JINMEI, Tatuya > Internet Systems Consortium, Inc. for example, a user send a query to my server, and the server forward this query to a outer dns server. the outer server return a A record to my server, what i want to do is, my server will not respond to client if i do not want the client to know this A record. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: can bind filter the result
At Sun, 19 Apr 2009 12:37:30 +0800, Ken Lai wrote: > hi, i recently setup a DNS server used bind in Centos. > > as I've set the server just forward the query to a public DNS server, my > boss told me to filter some result that not to return. it means this server > forward the query and get the result, if the result is in the blacklist, the > server will not respond or something to the client. Can you be more specific about "the result is in the blacklist"? A specific example would be helpful. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
can bind filter the result
hi, i recently setup a DNS server used bind in Centos. as I've set the server just forward the query to a public DNS server, my boss told me to filter some result that not to return. it means this server forward the query and get the result, if the result is in the blacklist, the server will not respond or something to the client. i'm wondering the bind could make this done? thanx in advance. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users