how to block unwanted domain queries?? (34 Views)
Reply
Advisor
Ho_5
Posts: 35
Registered: ‎03-20-2003
Message 1 of 15 (34 Views)
Accepted Solution

how to block unwanted domain queries??

hi,

Do you know how to block/drop unwanted DNS-queries which the domains are not belong to us? My DNs servers are not connected to the rest of the world (it is part of a private club network), so my DNS servers are the root in my area(= end point)
I just want my DNs servers will only answer the domains with belong to us, the rest of the dns-queries I want to drop them and send a reply back to the sender that it is not existed insteads of "Servfail error".

Do you know what I have to configure in my DNS??
My DNS server is a HP-UX 11i+Bind 9.2.

Thanks in advance.

Regards,

John
Please use plain text.
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 2 of 15 (34 Views)

Re: how to block unwanted domain queries??

If you have specific ip addresses you want to prevent from querying you then ipfilters firewall will stop the requests.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B9901AA

Pretty easy install, then configure to drop particular IP addresses from all requests or port 53.

To keep public inquiries off the public internet in total off the box, don't include the external ip address in the domain records and block port 53.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Please use plain text.
Honored Contributor
Sergejs Svitnevs
Posts: 579
Registered: ‎10-02-2002
Message 3 of 15 (34 Views)

Re: how to block unwanted domain queries??

About firewall...
SEP, in named.conf is an option "allow-query {}" which specifies which hosts are allowed to ask ordinary questions to DNS.

I don't know how to block/drop unwanted DNS-queries. In my opinion it is not possible in Bind 9.2.

Regards,
Sergejs
Please use plain text.
Honored Contributor
Thomas Bianco
Posts: 734
Registered: ‎06-10-2001
Message 4 of 15 (34 Views)

Re: how to block unwanted domain queries??

I think you want to respond with "NXDOMAIN" (read: non-existing domain) if someone asks for hp.com, right?

Removing the root hints and configuring a SOA record for the "." domain will make your server the root authority. Youâ ll have to configure child domains for COM and NET just as if you ran the real "." authority to get your internal networks to resolve correctly.

Note: this will not prevent someone from accessing the external network, just from resolving names from i
There have been Innumerable people who have helped me. Of course, I've managed to piss most of them off.
Please use plain text.
Honored Contributor
Jeroen Peereboom
Posts: 2,684
Registered: ‎06-26-2003
Message 5 of 15 (34 Views)

Re: how to block unwanted domain queries??

John,

searching for BIND on http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services

I see the options:
- allow-query in Bind 8.)
- blackhole in Bind 9.

Quote:
blackhole
This option is used to specify a list of addresses from which the
server will not accept queries or and does not use them to resolve a
query. Default is none. The syntax of blackhole option in the
â Optionsâ statement in the /etc/named.conf file is as shown below:
[ blackhole {address_match_list {; ]

JP.

And read the forum etiquette on assigning points to answers
Please use plain text.
Advisor
Ho_5
Posts: 35
Registered: ‎03-20-2003
Message 6 of 15 (34 Views)

Re: how to block unwanted domain queries??

Hi thomas,

I think your solution is what I need. Since I don't know the IP-addresses where they come from, I can not used allow-query or blackhole. You say: Removing the root hints and configuring a SOA record for the "." domain will make your server the root authority. Youâ  ll have to configure child domains for COM and NET just as if you ran the real "." authority to get your internal networks to resolve correctly.
Can you give me an example please??

Thanks in advance

Please use plain text.
Honored Contributor
Thomas Bianco
Posts: 734
Registered: ‎06-10-2001
Message 7 of 15 (34 Views)

Re: how to block unwanted domain queries??

You'll have to modify your bind.conf file. You should have a line like this

zone "." {
type hint;
file "named.root";
};

change it to

zone "." {
type master;
file "root.dns";
};

create a new file root.dns that looks like this.

;
; Database file . for . zone
; Zone version: 1
;
@ IN SOA admin@ (
1 ; serial number
900 ; refresh
600 ; retry
86400 ; expire
3600 ) ; minimum TTL
;
; Zone NS records
;
@ NS
net NS
com NS
; host lookup
A

After that, you'll need to create zone files similar to this for .com and .net and populate the hosts you wish to resolve. Donâ t forget to create the reverse look-ups

Hope this helps, sorry it's not complete.

APPENDIX: I think the posting fairy is going to eat the white space, sorr
There have been Innumerable people who have helped me. Of course, I've managed to piss most of them off.
Please use plain text.
Honored Contributor
Thomas Bianco
Posts: 734
Registered: ‎06-10-2001
Message 8 of 15 (34 Views)

Re: how to block unwanted domain queries??

I feel I should qualify this.

this solution is best for networks that are PHYSICALLY DISCONNECTED FROM THE PUBLIC INTERNET.

if you have any wish to connect to outside hosts from the internal network THIS IS NOT YOUR SOLUTION.
There have been Innumerable people who have helped me. Of course, I've managed to piss most of them off.
Please use plain text.
Honored Contributor
Jeroen Peereboom
Posts: 2,684
Registered: ‎06-26-2003
Message 9 of 15 (34 Views)

Re: how to block unwanted domain queries??

Ho,

although Thomas solution may be the best for you (improving your configuration), I have a remark on the address_match_list. The syntax of such a list allows you to negate a list. So it should be possible to list all valid subnets, and negate the list. Check the man page of named.conf. I cannot test this.

JP.
P.S.: Re-reading your question and Thomas' remark I think the issue is not where the request comes from, but what the request is asking for.
Please use plain text.
Advisor
Ho_5
Posts: 35
Registered: ‎03-20-2003
Message 10 of 15 (34 Views)

Re: how to block unwanted domain queries??

Hi Thomas,

It works now, only local domains will be answered. All the strange domains will be replied with "NXDOMAIN". But I forget to tell you that I have also forwarder in my named.conf. Now all the forwarders doesn't work anymore..so how can I solve it??

my named.conf file now:::

zone "mnc020.mcc238.gprs" {
type forward;
forwarders {
62.44.191.131;
62.44.191.132;
};
forward only;
};

zone "." {
type master;
file "db.fake";
notify no;
};


Attach is the db.fake file

Hope you can solve my problem

Thanks in advance,

Regards,

john
Please use plain text.
Honored Contributor
Thomas Bianco
Posts: 734
Registered: ‎06-10-2001
Message 11 of 15 (34 Views)

Re: how to block unwanted domain queries??

Forwarders only work if the server cannot find an authoritative answer on the local box. Since this server is now authoritative for everything, nothing will be forwarded. This is the expected behaviour.

Move the fake "." domain to the last server in your forwarder chain. This will allow your normal DNS behaviour right up to the edge of your network, where it will return NXDOMAIN.
There have been Innumerable people who have helped me. Of course, I've managed to piss most of them off.
Please use plain text.
Honored Contributor
Thomas Bianco
Posts: 734
Registered: ‎06-10-2001
Message 12 of 15 (34 Views)

Re: how to block unwanted domain queries??

just checking in. any new status? is it working?
There have been Innumerable people who have helped me. Of course, I've managed to piss most of them off.
Please use plain text.
Advisor
Ho_5
Posts: 35
Registered: ‎03-20-2003
Message 13 of 15 (34 Views)

Re: how to block unwanted domain queries??

Hi Thomas,

I have put zone "." at the end of /etc/named.conf, but forward still doesn't work.
So any clue??

//john
Please use plain text.
Honored Contributor
Thomas Bianco
Posts: 734
Registered: ‎06-10-2001
Message 14 of 15 (34 Views)

Re: how to block unwanted domain queries??

I think I understand now. You have a named.conf file that looks like this

domain private.gprs
server
server

And you're wondering why the second server is not used? Here's why:

When you're application goes to g...











There have been Innumerable people who have helped me. Of course, I've managed to piss most of them off.
Please use plain text.
Honored Contributor
Thomas Bianco
Posts: 734
Registered: ‎06-10-2001
Message 15 of 15 (34 Views)

Re: how to block unwanted domain queries??

doh!
I just realized that whole last post I was talking about named.conf and ment resolv.conf

do a sed s/named.conf/resolv.conf/ on my post.
There have been Innumerable people who have helped me. Of course, I've managed to piss most of them off.
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation