|
Thread Index [isp-dns] RE: special DNS server
spoofing authority for the handful of domains (if enough records can be harvested from the auth servers) is the simplest and most efficient. no firewall manips at all. The problem is your server answering with stale records. A thorough solution would have a script that updated the spoofed zones with current records from auth servers.What if you run a stock BIND, and deny all traffic from the BIND For the splat record, here's a quote from one of my DNS consulting clients who was decoommissioning a couple of DNS that had been running for years and whose IPs were setup in a lot of his users' mail programs. He wanted them to stop using those servers and bind loggin showed that his email announcement didn't work for all his users. He wanted all queries to return an A record to a web page. This is similar to verisign's "site finder" subterfuge. I haven't tested this, but it's working great for him and playing with it might work for you: "Basically, the clients desiring recursion are hard coded to my IP addresses, and will look to me for all recursive queries. I simply removed all entries from the root hints file, and turned the root hints file into a standard zone file, with a single "A" record, with * specified as the hostname. This caused the DNS server to return my specified A records for all zones that were queried." It sounds like the spoofing plus the above would work for you. Len _____________________________________________________________________ http://MenAndMice.com/DNS-training : Wash DC; Atlanta; SFO; Denver; NYC http://IMGate.MEIway.com : free anti-spam gateway, runs on 1000's of sites To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
Thread Index |
|
