Leon Fauster
2015-Oct-06  13:34 UTC
[CentOS] Can one construct an IPTables rule to block on NS records?
--On Monday, October 05, 2015 10:46 AM -0400 "James B. Byrne" <byrnejb at harte-lyne.ca> wrote:> So, is there any convenient way to construct an IPTables rule to block > all IPs associated with a given Domain Name server?IPs have the reversed lookup "assosiated" with a NS. What do you mean with "associated"? Do mean all IPs that this DNS server resolves to (A-Records in zone) (how do know for what zone the NS gives authoritative answers)? Or just the domain name server IPs of a given domain name (NS records)? What are you trying to solve? -- LF
John R Pierce
2015-Oct-06  17:36 UTC
[CentOS] Can one construct an IPTables rule to block on NS records?
On 10/6/2015 6:34 AM, Leon Fauster wrote:> --On Monday, October 05, 2015 10:46 AM -0400 "James B. Byrne"<byrnejb at harte-lyne.ca> wrote: > >> >So, is there any convenient way to construct an IPTables rule to block >> >all IPs associated with a given Domain Name server? > IPs have the reversed lookup "assosiated" with a NS. > > What do you mean with "associated"? > > Do mean all IPs that this DNS server resolves to > (A-Records in zone) (how do know for what zone > the NS gives authoritative answers)? > > Or just the domain name server IPs of a given > domain name (NS records)? > > What are you trying to solve?I wondered much the same. most NS servers won't allow you to do a zone transfer to find all the A/AAAA records in a given domain. doing a reverse DNS lookup on every incoming/outgoing socket connection would be beyond painful, it would bring your network to its knees as the reverse DNS zones are often broken. -- john r pierce, recycling bits in santa cruz
Kahlil Hodgson
2015-Oct-06  22:27 UTC
[CentOS] Can one construct an IPTables rule to block on NS records?
Taking a stab at you meaning "block all IPs that reverse resolve to a name managed by secureserver.net" because their servers keep scanning you. You could craft a fail2ban recipe to reverse resolve the IP address (after a some threshold of rejected packets) then block that IP if it ' secureserver.net' is the authority for the PTR record. K Kahlil (Kal) Hodgson GPG: C9A02289 Head of Technology (m) +61 (0) 4 2573 0382 DealMax Pty Ltd GitHub: @tartansandal Suite 1416 401 Docklands Drive Docklands VIC 3008 Australia "All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer." -- IBM maintenance manual, 1925 On 7 October 2015 at 04:36, John R Pierce <pierce at hogranch.com> wrote:> On 10/6/2015 6:34 AM, Leon Fauster wrote: > >> --On Monday, October 05, 2015 10:46 AM -0400 "James B. Byrne"< >> byrnejb at harte-lyne.ca> wrote: >> >> >So, is there any convenient way to construct an IPTables rule to block >>> >all IPs associated with a given Domain Name server? >>> >> IPs have the reversed lookup "assosiated" with a NS. >> >> What do you mean with "associated"? >> Do mean all IPs that this DNS server resolves to >> (A-Records in zone) (how do know for what zone >> the NS gives authoritative answers)? >> >> Or just the domain name server IPs of a given >> domain name (NS records)? >> >> What are you trying to solve? >> > > I wondered much the same. most NS servers won't allow you to do a zone > transfer to find all the A/AAAA records in a given domain. doing a reverse > DNS lookup on every incoming/outgoing socket connection would be beyond > painful, it would bring your network to its knees as the reverse DNS zones > are often broken. > > > > -- > john r pierce, recycling bits in santa cruz > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
Reasonably Related Threads
- [Fwd: Re: Can one construct an IPTables rule to block on NS records?]
- Can one construct an IPTables rule to block on NS records?
- Can one construct an IPTables rule to block on NS records?
- Can one construct an IPTables rule to block on NS records?
- NS records for a new AD DC