[CentOS] [Fwd: Re: Can one construct an IPTables rule to block on NS records?]

Wed Oct 7 12:53:11 UTC 2015
James B. Byrne <byrnejb at harte-lyne.ca>

Hit reply instead of reply all.  This is for the list.

-------------------------- Original Message --------------------------
Subject: Re: [CentOS] Can one construct an IPTables rule to block on
NS records?
From:    "James B. Byrne" <byrnejb at harte-lyne.ca>
Date:    Wed, October 7, 2015 08:52
To:      "John R Pierce" <pierce at hogranch.com>

On Tue, October 6, 2015 13:36, John R Pierce wrote:
> On 10/6/2015 6:34 AM, Leon Fauster wrote:
>> --On Monday, October 05, 2015 10:46 AM -0400 "James B.
>> Byrne"<byrnejb at harte-lyne.ca>  wrote:
>>> >So, is there any convenient way to construct an IPTables rule to
>>> block
>>> >all IPs associated with a given Domain Name server?
>> IPs have the reversed lookup "assosiated" with a NS.
>> What do you mean with "associated"?
>> Do mean all IPs that this DNS server resolves to
>> (A-Records in zone) (how do know for what zone
>> the NS gives authoritative answers)?
>> Or just the domain name server IPs of a given
>> domain name (NS records)?
>> What are you trying to solve?
> I wondered much the same.    most NS servers won't allow you to do a
> zone transfer to find all the A/AAAA records in a given domain. doing
> a
> reverse DNS lookup on every incoming/outgoing socket connection would
> be
> beyond painful, it would bring your network to its knees as the
> reverse
> DNS zones are often broken.

I am well aware of the costs of dns lookups which is why I worded the
question as broadly as I did.  In the end whois provided the necessary

Thanks to all who replied and provided advice.


***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3