Date: Tue, 16 Nov 1999 23:36:46 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: sthaug@nethelp.no Cc: freebsd-security@FreeBSD.ORG Subject: Re: Tracing Spoofed Packets Message-ID: <199911170736.XAA20577@gndrsh.dnsmgr.net> In-Reply-To: <87189.942820529@verdi.nethelp.no> from "sthaug@nethelp.no" at "Nov 17, 1999 07:35:29 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> > That reminds me of a hack I started working on that someone really should > > do. In gated for routing we have the ``martians list'' of ip addresses > > that it won't listen to nobody nohow about routing for, well, it would > > be really sweet if bind/named could also have this, so that these bogus > > NS records with RFC1918 addresses in them (mostly due to misconfigured > > internal nameservers leaking info to the internet) could be easily ignored > > by those of us who know how to do it correctly. > > BIND already does a similar thing for 0.0.0.0, 127.0.0.1 etc. See the > code from BIND 8.2.2-P3 src/bin/named/ns_forw.c included below. It > should be easy enough to extend this list - but it would be even better > if the list was configurable, of course. Yea... there is the code that needs hacked^H^H^H^Hfixed to take a config list of addresses. Hard coding this in the source was a mistake, it also leaves out lots of potential ``Bogus''. And, for some of us refuses some data that is actually valid to us: netstat -rn ... OSPF-ALL.MCAST.NET localhost UH 1 607 lo0 OSPF-DSIG.MCAST.NE localhost UH 1 4 lo0 I can't do a forward look up on OSPF-ALL.MCAST.NET due to the code below, something that I would like to do (okay, so I already hacked my named not to reject this one, and hacked it to reject a lot of others, but it is just that, a bunch of hacks!!) Someone with some time on thier hands please de hardcode these addresses, add a configuration item (I like the gated name of ``martians'') and submit it to Vixie for the next release...) or maybe even ask Paul about doing it... > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > ---------------------------------------------------------------------- > if (ina_hlong(ina_get(dp->d_data)) == INADDR_ANY) { > static const char *complaint = > "Bogus (0.0.0.0) A RR"; > nslookupComplain(sysloginfo, syslogdname, > complaint, dname, dp, nsdp); > continue; > } > #ifdef INADDR_LOOPBACK > if (ina_hlong(ina_get(dp->d_data))==INADDR_LOOPBACK) { > static const char *complaint = > "Bogus LOOPBACK A RR"; > nslookupComplain(sysloginfo, syslogdname, > complaint, dname, dp, nsdp); > continue; > } > #endif > #ifdef INADDR_BROADCAST > if (ina_hlong(ina_get(dp->d_data))==INADDR_BROADCAST){ > static const char *complaint = > "Bogus BROADCAST A RR"; > nslookupComplain(sysloginfo, syslogdname, > complaint, dname, dp, nsdp); > continue; > } > #endif > #ifdef IN_MULTICAST > if (IN_MULTICAST(ina_hlong(ina_get(dp->d_data)))) { > static const char *complaint = > "Bogus MULTICAST A RR"; > nslookupComplain(sysloginfo, syslogdname, > complaint, dname, dp, nsdp); > continue; > } > #endif > -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911170736.XAA20577>