On 10/6/2015 6:34 AM, Leon Fauster wrote: > --On Monday, October 05, 2015 10:46 AM -0400 "James B. Byrne"<byrnejb at harte-lyne.ca> wrote: > >> >So, is there any convenient way to construct an IPTables rule to block >> >all IPs associated with a given Domain Name server? > IPs have the reversed lookup "assosiated" with a NS. > > What do you mean with "associated"? > > Do mean all IPs that this DNS server resolves to > (A-Records in zone) (how do know for what zone > the NS gives authoritative answers)? > > Or just the domain name server IPs of a given > domain name (NS records)? > > What are you trying to solve? I wondered much the same. most NS servers won't allow you to do a zone transfer to find all the A/AAAA records in a given domain. doing a reverse DNS lookup on every incoming/outgoing socket connection would be beyond painful, it would bring your network to its knees as the reverse DNS zones are often broken. -- john r pierce, recycling bits in santa cruz