Hit reply instead of reply all. This is for the list.
-------------------------- Original Message -------------------------- Subject: Re: [CentOS] Can one construct an IPTables rule to block on NS records? From: "James B. Byrne" byrnejb@harte-lyne.ca Date: Wed, October 7, 2015 08:52 To: "John R Pierce" pierce@hogranch.com ----------------------------------------------------------------------
On Tue, October 6, 2015 13:36, John R Pierce wrote:
On 10/6/2015 6:34 AM, Leon Fauster wrote:
--On Monday, October 05, 2015 10:46 AM -0400 "James B. Byrne"byrnejb@harte-lyne.ca wrote:
So, is there any convenient way to construct an IPTables rule to
block
all IPs associated with a given Domain Name server?
IPs have the reversed lookup "assosiated" with a NS.
What do you mean with "associated"?
Do mean all IPs that this DNS server resolves to (A-Records in zone) (how do know for what zone the NS gives authoritative answers)?
Or just the domain name server IPs of a given domain name (NS records)?
What are you trying to solve?
I wondered much the same. most NS servers won't allow you to do a zone transfer to find all the A/AAAA records in a given domain. doing a reverse DNS lookup on every incoming/outgoing socket connection would be beyond painful, it would bring your network to its knees as the reverse DNS zones are often broken.
I am well aware of the costs of dns lookups which is why I worded the question as broadly as I did. In the end whois provided the necessary information.
Thanks to all who replied and provided advice.
Regards
-
James B. Byrne