[Emerging-Sigs] Blocks based on IP alone

Robert Kerr rob at rkerr.co.uk
Mon Oct 18 16:27:01 EDT 2010


On Mon, 2010-10-18 at 09:26 -0500, Martin Holste wrote:
> > This does work and works well.  We did this for awhile, but
> > unfortunately, we're not in charge of DNS, and our DNS admins were
> > only willing to update once per day, so the effectiveness quickly
> > waned.  If we could do this with real-time dynamic DNS updates, I
> > think we'd be in business.  Maybe it's time for us to have another
> > chat with our admins.  We tend to get the same fears with the DNS
> > updates that we get when advocating for an inline IPS, because any
> > time we're messing with infrastructure, we're increasing operational
> > risk.

> One follow-up on this: has anyone gotten a DNS blackhole to work with
> dynamic DNS updates?  That would be ideal.  I'm not seeing anything
> obvious on Google yet, and it's been a long, long time since I
> maintained BIND.

As Will said - you can create hosts that way but not zones. If you could
persuade your DNS admins to patch BIND then the DNS RPZ stuff may be
what you need:

 http://www.isc.org/community/blog/201007/taking-back-dns-0

You can still route all the IP addresses you would have otherwise
blocked to a single location without manipulation DNS though...

-- 
 Robert Kerr



More information about the Emerging-sigs mailing list