[CentOS] Can one construct an IPTables rule to block on NS records?

Tue Oct 6 17:36:28 UTC 2015
John R Pierce <pierce at hogranch.com>

On 10/6/2015 6:34 AM, Leon Fauster wrote:
> --On Monday, October 05, 2015 10:46 AM -0400 "James B. Byrne"<byrnejb at harte-lyne.ca>  wrote:
>
>> >So, is there any convenient way to construct an IPTables rule to block
>> >all IPs associated with a given Domain Name server?
> IPs have the reversed lookup "assosiated" with a NS.
>
> What do you mean with "associated"?
>   
> Do mean all IPs that this DNS server resolves to
> (A-Records in zone) (how do know for what zone
> the NS gives authoritative answers)?
>
> Or just the domain name server IPs of a given
> domain name (NS records)?
>
> What are you trying to solve?

I wondered much the same.    most NS servers won't allow you to do a 
zone transfer to find all the A/AAAA records in a given domain. doing a 
reverse DNS lookup on every incoming/outgoing socket connection would be 
beyond painful, it would bring your network to its knees as the reverse 
DNS zones are often broken.



-- 
john r pierce, recycling bits in santa cruz