From owner-freebsd-security Tue Nov 16 22:35:35 1999 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 290D814ECE for ; Tue, 16 Nov 1999 22:35:30 -0800 (PST) (envelope-from sthaug@nethelp.no) Received: (qmail 87191 invoked by uid 1001); 17 Nov 1999 06:35:29 +0000 (GMT) To: freebsd@gndrsh.dnsmgr.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Tracing Spoofed Packets From: sthaug@nethelp.no In-Reply-To: Your message of "Tue, 16 Nov 1999 20:12:44 -0800 (PST)" References: <199911170412.UAA20102@gndrsh.dnsmgr.net> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Wed, 17 Nov 1999 07:35:29 +0100 Message-ID: <87189.942820529@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > That reminds me of a hack I started working on that someone really should > do. In gated for routing we have the ``martians list'' of ip addresses > that it won't listen to nobody nohow about routing for, well, it would > be really sweet if bind/named could also have this, so that these bogus > NS records with RFC1918 addresses in them (mostly due to misconfigured > internal nameservers leaking info to the internet) could be easily ignored > by those of us who know how to do it correctly. BIND already does a similar thing for 0.0.0.0, 127.0.0.1 etc. See the code from BIND 8.2.2-P3 src/bin/named/ns_forw.c included below. It should be easy enough to extend this list - but it would be even better if the list was configurable, of course. Steinar Haug, Nethelp consulting, sthaug@nethelp.no ---------------------------------------------------------------------- if (ina_hlong(ina_get(dp->d_data)) == INADDR_ANY) { static const char *complaint = "Bogus (0.0.0.0) A RR"; nslookupComplain(sysloginfo, syslogdname, complaint, dname, dp, nsdp); continue; } #ifdef INADDR_LOOPBACK if (ina_hlong(ina_get(dp->d_data))==INADDR_LOOPBACK) { static const char *complaint = "Bogus LOOPBACK A RR"; nslookupComplain(sysloginfo, syslogdname, complaint, dname, dp, nsdp); continue; } #endif #ifdef INADDR_BROADCAST if (ina_hlong(ina_get(dp->d_data))==INADDR_BROADCAST){ static const char *complaint = "Bogus BROADCAST A RR"; nslookupComplain(sysloginfo, syslogdname, complaint, dname, dp, nsdp); continue; } #endif #ifdef IN_MULTICAST if (IN_MULTICAST(ina_hlong(ina_get(dp->d_data)))) { static const char *complaint = "Bogus MULTICAST A RR"; nslookupComplain(sysloginfo, syslogdname, complaint, dname, dp, nsdp); continue; } #endif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message