Operating System - HP-UX
1748162 Members
3724 Online
108758 Solutions
New Discussion юеВ

Re: how to block unwanted domain queries??

 
SOLVED
Go to solution
Ho_5
Advisor

how to block unwanted domain queries??

hi,

Do you know how to block/drop unwanted DNS-queries which the domains are not belong to us? My DNs servers are not connected to the rest of the world (it is part of a private club network), so my DNS servers are the root in my area(= end point)
I just want my DNs servers will only answer the domains with belong to us, the rest of the dns-queries I want to drop them and send a reply back to the sender that it is not existed insteads of "Servfail error".

Do you know what I have to configure in my DNS??
My DNS server is a HP-UX 11i+Bind 9.2.

Thanks in advance.

Regards,

John
14 REPLIES 14
Steven E. Protter
Exalted Contributor

Re: how to block unwanted domain queries??

If you have specific ip addresses you want to prevent from querying you then ipfilters firewall will stop the requests.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B9901AA

Pretty easy install, then configure to drop particular IP addresses from all requests or port 53.

To keep public inquiries off the public internet in total off the box, don't include the external ip address in the domain records and block port 53.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Sergejs Svitnevs
Honored Contributor

Re: how to block unwanted domain queries??

About firewall...
SEP, in named.conf is an option "allow-query {}" which specifies which hosts are allowed to ask ordinary questions to DNS.

I don't know how to block/drop unwanted DNS-queries. In my opinion it is not possible in Bind 9.2.

Regards,
Sergejs
Thomas Bianco
Honored Contributor
Solution

Re: how to block unwanted domain queries??

I think you want to respond with "NXDOMAIN" (read: non-existing domain) if someone asks for hp.com, right?

Removing the root hints and configuring a SOA record for the "." domain will make your server the root authority. You├в ll have to configure child domains for COM and NET just as if you ran the real "." authority to get your internal networks to resolve correctly.

Note: this will not prevent someone from accessing the external network, just from resolving names from i
There have been Innumerable people who have helped me. Of course, I've managed to piss most of them off.
Jeroen Peereboom
Honored Contributor

Re: how to block unwanted domain queries??

John,

searching for BIND on http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services

I see the options:
- allow-query in Bind 8.)
- blackhole in Bind 9.

Quote:
blackhole
This option is used to specify a list of addresses from which the
server will not accept queries or and does not use them to resolve a
query. Default is none. The syntax of blackhole option in the
├в Options├в statement in the /etc/named.conf file is as shown below:
[ blackhole {address_match_list {; ]

JP.

And read the forum etiquette on assigning points to answers
Ho_5
Advisor

Re: how to block unwanted domain queries??

Hi thomas,

I think your solution is what I need. Since I don't know the IP-addresses where they come from, I can not used allow-query or blackhole. You say: Removing the root hints and configuring a SOA record for the "." domain will make your server the root authority. You├Г┬в├В ├В ll have to configure child domains for COM and NET just as if you ran the real "." authority to get your internal networks to resolve correctly.
Can you give me an example please??

Thanks in advance

Thomas Bianco
Honored Contributor

Re: how to block unwanted domain queries??

You'll have to modify your bind.conf file. You should have a line like this

zone "." {
type hint;
file "named.root";
};

change it to

zone "." {
type master;
file "root.dns";
};

create a new file root.dns that looks like this.

;
; Database file . for . zone
; Zone version: 1
;
@ IN SOA admin@ (
1 ; serial number
900 ; refresh
600 ; retry
86400 ; expire
3600 ) ; minimum TTL
;
; Zone NS records
;
@ NS
net NS
com NS
; host lookup
A

After that, you'll need to create zone files similar to this for .com and .net and populate the hosts you wish to resolve. Don├в t forget to create the reverse look-ups

Hope this helps, sorry it's not complete.

APPENDIX: I think the posting fairy is going to eat the white space, sorr
There have been Innumerable people who have helped me. Of course, I've managed to piss most of them off.
Thomas Bianco
Honored Contributor

Re: how to block unwanted domain queries??

I feel I should qualify this.

this solution is best for networks that are PHYSICALLY DISCONNECTED FROM THE PUBLIC INTERNET.

if you have any wish to connect to outside hosts from the internal network THIS IS NOT YOUR SOLUTION.
There have been Innumerable people who have helped me. Of course, I've managed to piss most of them off.
Jeroen Peereboom
Honored Contributor

Re: how to block unwanted domain queries??

Ho,

although Thomas solution may be the best for you (improving your configuration), I have a remark on the address_match_list. The syntax of such a list allows you to negate a list. So it should be possible to list all valid subnets, and negate the list. Check the man page of named.conf. I cannot test this.

JP.
P.S.: Re-reading your question and Thomas' remark I think the issue is not where the request comes from, but what the request is asking for.
Ho_5
Advisor

Re: how to block unwanted domain queries??

Hi Thomas,

It works now, only local domains will be answered. All the strange domains will be replied with "NXDOMAIN". But I forget to tell you that I have also forwarder in my named.conf. Now all the forwarders doesn't work anymore..so how can I solve it??

my named.conf file now:::

zone "mnc020.mcc238.gprs" {
type forward;
forwarders {
62.44.191.131;
62.44.191.132;
};
forward only;
};

zone "." {
type master;
file "db.fake";
notify no;
};


Attach is the db.fake file

Hope you can solve my problem

Thanks in advance,

Regards,

john