Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 17 Nov 1999 07:35:29 +0100
From:      sthaug@nethelp.no
To:        freebsd@gndrsh.dnsmgr.net
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Tracing Spoofed Packets
Message-ID:  <87189.942820529@verdi.nethelp.no>
In-Reply-To: Your message of "Tue, 16 Nov 1999 20:12:44 -0800 (PST)"
References:  <199911170412.UAA20102@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
> That reminds me of a hack I started working on that someone really should
> do.  In gated for routing we have the ``martians list'' of ip addresses
> that it won't listen to nobody nohow about routing for, well, it would
> be really sweet if bind/named could also have this, so that these bogus
> NS records with RFC1918 addresses in them (mostly due to misconfigured
> internal nameservers leaking info to the internet) could be easily ignored
> by those of us who know how to do it correctly.

BIND already does a similar thing for 0.0.0.0, 127.0.0.1 etc. See the
code from BIND 8.2.2-P3 src/bin/named/ns_forw.c included below. It
should be easy enough to extend this list - but it would be even better
if the list was configurable, of course.

Steinar Haug, Nethelp consulting, sthaug@nethelp.no
----------------------------------------------------------------------
			if (ina_hlong(ina_get(dp->d_data)) == INADDR_ANY) {
				static const char *complaint =
					"Bogus (0.0.0.0) A RR";
				nslookupComplain(sysloginfo, syslogdname,
						 complaint, dname, dp, nsdp);
				continue;
			}
#ifdef INADDR_LOOPBACK
			if (ina_hlong(ina_get(dp->d_data))==INADDR_LOOPBACK) {
				static const char *complaint =
					"Bogus LOOPBACK A RR";
				nslookupComplain(sysloginfo, syslogdname,
						 complaint, dname, dp, nsdp);
				continue;
			}
#endif
#ifdef INADDR_BROADCAST
			if (ina_hlong(ina_get(dp->d_data))==INADDR_BROADCAST){
				static const char *complaint = 
					"Bogus BROADCAST A RR";
				nslookupComplain(sysloginfo, syslogdname,
						 complaint, dname, dp, nsdp);
				continue;
			}
#endif
#ifdef IN_MULTICAST
			if (IN_MULTICAST(ina_hlong(ina_get(dp->d_data)))) {
				static const char *complaint =
					"Bogus MULTICAST A RR";
				nslookupComplain(sysloginfo, syslogdname,
						 complaint, dname, dp, nsdp);
				continue;
			}
#endif


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87189.942820529>