Hit reply instead of reply all. This is for the list. -------------------------- Original Message -------------------------- Subject: Re: [CentOS] Can one construct an IPTables rule to block on NS records? From: "James B. Byrne" <byrnejb at harte-lyne.ca> Date: Wed, October 7, 2015 08:52 To: "John R Pierce" <pierce at hogranch.com> ---------------------------------------------------------------------- On Tue, October 6, 2015 13:36, John R Pierce wrote: > On 10/6/2015 6:34 AM, Leon Fauster wrote: >> --On Monday, October 05, 2015 10:46 AM -0400 "James B. >> Byrne"<byrnejb at harte-lyne.ca> wrote: >> >>> >So, is there any convenient way to construct an IPTables rule to >>> block >>> >all IPs associated with a given Domain Name server? >> IPs have the reversed lookup "assosiated" with a NS. >> >> What do you mean with "associated"? >> >> Do mean all IPs that this DNS server resolves to >> (A-Records in zone) (how do know for what zone >> the NS gives authoritative answers)? >> >> Or just the domain name server IPs of a given >> domain name (NS records)? >> >> What are you trying to solve? > > I wondered much the same. most NS servers won't allow you to do a > zone transfer to find all the A/AAAA records in a given domain. doing > a > reverse DNS lookup on every incoming/outgoing socket connection would > be > beyond painful, it would bring your network to its knees as the > reverse > DNS zones are often broken. > > > I am well aware of the costs of dns lookups which is why I worded the question as broadly as I did. In the end whois provided the necessary information. Thanks to all who replied and provided advice. Regards -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3