On 10/11/2010 2:44 PM, Nuno Paquete wrote:
Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. If you want to block IP address access you have to use firewall, or if you are talking about http traffic and have a proxy, maybe you have to block there. That's why I completly agree this should not be blocked at DNS level.
To nitpick: address-block-based filtering*could* be implemented in DNS. The same mechanisms that are used to prevent "rebinding" attacks -- e.g. BIND's *deny-answer-addresses* -- could theoretically be repurposed to strip addresses in certain "banned" ranges from DNS responses. Arguably this is a misuse/abuse of the feature.
- Kevin
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
