Re: How to block part of a zone
On 16-09-14 18:20, King, Harold Clyde (Hal) wrote: > Resolve all traffic for example.com from example.com¹s dns servers, but > stop badhost.example.com. Ideally you would use RPZ records for this purpose. You can override single records with another record. RPZ is only available in bind 9.8+. An example: --- Config: options { response-policy { zone "rpz.int.mtak.nl"; }; }; zone "rpz.int.mtak.nl" { type master; file "/etc/bind/db/rpz.int.mtak.nl.zone"; allow-transfer { slaves; }; }; --- Zone file: @INSOA localhost. root.localhost. ( 2014072602 ; serial 3H ; refresh 1H ; retry 1W ; expiry 1H) ; minimum INNSlocalhost. badhost.example.com IN CNAMEyourcompanywebsite.com ;or alternatively badhost.example.com IN A 0.0.0.0 --- mtak ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to block part of a zone
You have multiple choices here. Loopback is sometimes a bad choice, since the client may try to connect to itself, and in pathological cases this could cause an infinite loop. You could consider an A record with RDATA 0.0.0.0, the "null" or "unspecified" address. It is not legal for that ever to be a destination address for a connection attempt, so it's marginally safer than 127.0.0.1. For that matter, you don't need to define *any* A (or ) record in the zone at all. Then any resolution attempts will get a so-called "NODATA" response (NOERROR, but 0 answers), which the vast majority of stub resolvers won't be able to distinguish from NXDOMAIN. - Kevin On 9/16/2014 12:20 PM, King, Harold Clyde (Hal) wrote: I need to block a host in an exterior domain. Resolve all traffic for example.com from example.com¹s dns servers, but stop badhost.example.com. I guess I could become authoritative for badhost.example.com and point the host to 127.0.0.1. Does that sound like bad things would happen? Zone ³badhost.example.com² { type master; file ³/etc/named/badhost.example.com.db²; } Badhost.example.com. IN SOA localhost ( Admin.localhost 2014091601 3600 900 86 3600 ) NS localhost. A 127.0.0.1 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to block part of a zone
I need to block a host in an exterior domain. Resolve all traffic for example.com from example.com¹s dns servers, but stop badhost.example.com. I guess I could become authoritative for badhost.example.com and point the host to 127.0.0.1. Does that sound like bad things would happen? Zone ³badhost.example.com² { type master; file ³/etc/named/badhost.example.com.db²; } Badhost.example.com. IN SOA localhost ( Admin.localhost 2014091601 3600 900 86 3600 ) NS localhost. A 127.0.0.1 -- Hal King - h...@utk.edu Systems Administrator Office of Information Technology Shared Systems Services The University of Tennessee 103C5 Kingston Pike Building 2309 Kingston Pk. Knoxville, TN 37996 Phone: 974-1599 /--\ | One Contact 865-974-9900| | Many Solutions help.utk.edu| \--/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users