Jason Noble wrote, at 09/11/2008 08:08 AM: > On Wed, 2008-09-10 at 16:35 +0200, mouss wrote: >> Jorey Bump wrote: >>> >>> Set up a separate DNS server if you want to block ad sites for your your >>> LAN users. I do this, but I simply make the local DNS server >>> authoritative for the offensive domains (or subdomains) and point them >>> all to the same zone file, which has no A records defined. Why anyone >>> would point these to 127.0.0.1 or any other IP address is beyond me. >>> >> >> and is even dangerous. it allows a stranger to make you do a query on a >> local service. with FCSR and XSS attacks being so common these days, >> this is unwise. What would happens if say you get to click on >> http://127.0.0.1:1234/disable_firewall >> ? >> >> this is also the reason why it is not recommended to put private IPs in >> public dns zones (foo.example.com -> 192.168.1.2). >> >> > > What about just pointing to 0.0.0.0
That can be even worse, since 0.0.0.0 is reserved for the default network. See RFC 3330 (http://tools.ietf.org/html/rfc3330#section-2): 0.0.0.0/8 - Addresses in this block refer to source hosts on "this" network. Address 0.0.0.0/32 may be used as a source address for this host on this network; other addresses within 0.0.0.0/8 may be used to refer to specified hosts on this network [RFC1700, page 4]. Don't be surprised if you ping 0.0.0.0 and it hits 127.0.0.1 (depending on the platform). On my local DNS server (using bind) at the end of named.conf, I put this line: include "/var/named/dummy.conf"; dummy.conf defines the zones of various spamming domains, all pointing to the same file, with my server set as master: zone "example.com" { type master; file "master/dummy"; allow-transfer { localhost; }; }; zone "adserver.example.net" { type master; file "master/dummy"; allow-transfer { localhost; }; }; /var/named/master/dummy is a simple zone file with no A records defined, so lookups on the domain will return nothing, and subdomains will always fail with NXDOMAIN: $TTL 1d @ IN SOA ns.localdomain.hostmaster.ns.localdomain. ( 2006121001 ; serial 8h ; refresh 2h ; retry 7d ; expire 1h ; default_ttl ) ; ; Name servers ; @ IN NS ns.localdomain. But this is getting off-topic. Note that this is only for serving recursive lookups to my local network. I would never have Postfix or any other important service use this for a resolver. On a related note, one of the authoritative DNS servers (ns.voloper.com) for your domain (polezero.com), allows recursive lookups from the Internet. That's crazy. You should drop it or ask voloper.com to disable recursive lookups.
