> On 19 Mar 2019, at 14:10, Ted Lemon <mel...@fugue.com> wrote: > > On Mar 19, 2019, at 3:50 AM, Eliot Lear <l...@cisco.com > <mailto:l...@cisco.com>> wrote: >> It might also be possible to whitelist ANSWERs into iptables. I wrote the >> code for that for a dnscap plugin some years ago, and you could even play >> with it if you want (it’s on GitHub), but I’m not suggesting it’s a good >> general answer (it was intended for a very specific use case involving >> relatively few domains for (hopefully cooperating) IoT devices). As you >> point out, it won’t tackle shared IP addresses, and quite frankly, little >> CPE gear won’t scale with a gazillion iptables entries (I’m not sure big >> gear would either). > > Link? >
Sure. It’s my branch off of dnscap. https://github.com/elear/dnscap <https://github.com/elear/dnscap>. See plugins/aclm. Limited doc is available, but anyone who wants to play just let me know. Eliot
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
