Re: How to block part of a zone
On 16-09-14 18:20, King, Harold Clyde (Hal) wrote:
> Resolve all traffic for example.com from example.com¹s dns servers, but
> stop badhost.example.com.
Ideally you would use RPZ records for this purpose. You can override
single records with another record. RPZ is only available in bind 9.8+.
An example:
--- Config:
options {
response-policy { zone "rpz.int.mtak.nl"; };
};
zone "rpz.int.mtak.nl" {
type master;
file "/etc/bind/db/rpz.int.mtak.nl.zone";
allow-transfer { slaves; };
};
--- Zone file:
@INSOA localhost. root.localhost. (
2014072602 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1H) ; minimum
INNSlocalhost.
badhost.example.com IN CNAMEyourcompanywebsite.com ;or
alternatively
badhost.example.com IN A 0.0.0.0
---
mtak
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How to block part of a zone
You have multiple choices here.
Loopback is sometimes a bad choice, since the client may try to connect
to itself, and in pathological cases this could cause an infinite loop.
You could consider an A record with RDATA 0.0.0.0, the "null" or
"unspecified" address. It is not legal for that ever to be a destination
address for a connection attempt, so it's marginally safer than 127.0.0.1.
For that matter, you don't need to define *any* A (or ) record in
the zone at all. Then any resolution attempts will get a so-called
"NODATA" response (NOERROR, but 0 answers), which the vast majority of
stub resolvers won't be able to distinguish from NXDOMAIN.
- Kevin
On 9/16/2014 12:20 PM, King, Harold Clyde (Hal) wrote:
I need to block a host in an exterior domain.
Resolve all traffic for example.com from example.com¹s dns servers, but
stop badhost.example.com.
I guess I could become authoritative for badhost.example.com and point the
host to 127.0.0.1.
Does that sound like bad things would happen?
Zone ³badhost.example.com² {
type master;
file ³/etc/named/badhost.example.com.db²;
}
Badhost.example.com. IN SOA localhost (
Admin.localhost
2014091601
3600
900
86
3600 )
NS localhost.
A 127.0.0.1
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
How to block part of a zone
I need to block a host in an exterior domain.
Resolve all traffic for example.com from example.com¹s dns servers, but
stop badhost.example.com.
I guess I could become authoritative for badhost.example.com and point the
host to 127.0.0.1.
Does that sound like bad things would happen?
Zone ³badhost.example.com² {
type master;
file ³/etc/named/badhost.example.com.db²;
}
Badhost.example.com. IN SOA localhost (
Admin.localhost
2014091601
3600
900
86
3600 )
NS localhost.
A 127.0.0.1
--
Hal King - h...@utk.edu
Systems Administrator
Office of Information Technology
Shared Systems Services
The University of Tennessee
103C5 Kingston Pike Building
2309 Kingston Pk. Knoxville, TN 37996
Phone: 974-1599
/--\
| One Contact 865-974-9900|
| Many Solutions help.utk.edu|
\--/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
