faqts : Computers : Internet : Domain Names : djbdns

+ Search
 Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

17 of 17 people (100%) answered Yes
Recently 10 of 10 people (100%) answered Yes

Entry

How do I block dnscache from responding to a single IP address?

Mar 3rd, 2003 20:09
Brian Coogan, 


If I have an ip/10 file to allow dnscache to answer all queries coming 
from 10.x.x.x hosts, how would I set up things to answer queries from 
all 10.x.x.x hosts except 10.52.24.241 without needing to ban all of 
10.x.x.x?

Answer:
Create ip/10.* files covering all ranges specifically other than the 
address (or range of addresses) you want to ignore.

For instance, to allow 10.x.x.x but ignore 10.52.24.241: 

  cd /service/dnscache/root/ip
  for FFF in `seq 1 51` `seq 53 255`; do touch 10.$FFF
  for FFF in `seq 1 23` `seq 25 255`; do touch 10.52.$FFF
  for FFF in `seq 1 240` `seq 242 255`; do touch 10.52.24.$FFF
  rm 10

This same technique works for both permanently and temporarily 
blocking 
an IP address from querying a dnscache server.

See http://cr.yp.to/djbdns/dnscache.html for further details.

Note: "seq" is a command that prints all numbers between and including 
the first and second arguments, ie: "seq 1 3" prints "1 2 3".  As seq 
may not be available in all Unix flavours, a trivial script to 
implement it would be:
  #! /bin/sh
  awk 'BEGIN { for (i = '$1'; i <= '$2'; i++) print i; stop }'

(As an aside, seq is part of the GNU shellutils:
   http://www.gnu.org/software/shellutils/shellutils.html
You may have the "jot" command instead.  "jot 256 0" prints the same 
output as "seq 0 255".)


You could also block an IP range with firewall rules in your version 
of 
Unix;  that may or may not be an easier point for you to manage such 
things.