AW: block ddns by name

2012-02-23 Thread Melbinger Christian 
Hi

Thank you, i think this will do the trick... just have to make sure if the dhcp 
uses signed updates or by ip - because it only works with signed updates. I 
think it's by ip, since there's no such key config in dhcpd.conf :(

Thanks!

---
Ing. Christian Melbinger
Netzwerk  Security

WienIT EDV Dienstleistungsgesellschaft mbH  Co KG
A-1030 Wien, Thomas-Klestil-Platz 6
tel: +43 (1) 90405 47188
fax: +43 (1) 90405 88 47188
mailto:christian.melbin...@wienit.at


-Ursprüngliche Nachricht-
Von: Tony Finch [mailto:fa...@hermes.cam.ac.uk] Im Auftrag von Tony Finch
Gesendet: Donnerstag, 16. Februar 2012 14:37
An: Melbinger Christian
Cc: bind-users@lists.isc.org
Betreff: Re: block ddns by name

Melbinger Christian christian.melbin...@wienit.at wrote:

 Does anyone know if there is a way to prevent the creation of certain
 records - by name?

http://ftp.isc.org/isc/bind9/cur/9.7/doc/arm/Bv9ARM.ch06.html#dynamic_update_policies

Based on that, something the following should do what you want:

update-policy {
deny * name internal.example.com;
# ...
};

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Shannon: Westerly or southwesterly 5 or 6, but 4 until later in far south.
Moderate or rough. Occasional rain or drizzle. Moderate or good.



WienIT EDV Dienstleistungsgesellschaft mbH  Co KG, A-1030 Wien, 
Thomas-Klestil-Platz 6,
FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824
Persönlich haftender Gesellschafter:
WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6,
FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: block ddns by name

2012-02-17 Thread Chris Buxton 
On Feb 16, 2012, at 7:22 AM, Tom Schmitt wrote:

 Von: Tony Finch d...@dotat.at
 
 Does anyone know if there is a way to prevent the creation of certain
 records - by name?
 
  update-policy {
  deny * name internal.example.com;
  # ...
  };
 
 Hi,
 
 I have a quite similar question but can't figure it out from the doc for 
 update-policy:
 
 I have a few DHCP-clients which are sending really stupid hostnames to the 
 DHCP and via DHCP they got into my DNS zones.
 
 Example: A few IP-phones are sending as their hostname eight times xFF. And 
 this not printable name is then in DNS where I (and a few older nameserver) 
 don't want it.
 
 So is there something possible like
 update-policy { deny * name /^a-zA-Z0-9_\-/; };
 ?
 
 (For thos who don't speak regex: deny all names with something in it what is 
 no letter or digit or underscore or dash.

Does a check-names policy achieve this? I'm honestly not sure.

BTW: _ is not a valid hostname character. And your regex needs brackets:

/[^a-zA-Z0-9_-]/

But no, update-policy doesn't support regular expressions.

Regards,
Chris Buxton
BlueCat Networks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

block ddns by name

2012-02-16 Thread Melbinger Christian 
Hi

Does anyone know if there is a way to prevent the creation of certain records - 
by name?
Basically I want to prevent the creation of localhost and internal on my 
internal zone. (looks like SAP has a problem if there is a localhost A-rec 
pointing to another ip than 127.0.0.1) (and MS AD if there is any 
internal.internal.mycompany.com A-rec)

As a workaround I could create a localhost-entry pointing to 127.0.0.1 and set 
dhcp to not overwrite any record. But this would not help with the internal 
rec, because such one simply must not exist.

Config:
Clients are not allowed to perform any ddns updates, the dhcp performs these. 
So I could filter in dhcp or bind

Currently running:
BIND 9.7.3-P3
DHCP 3.1-ESV-R3

Soon upgrading to:
BIND 9.7.4-P1
DHCP 4.1-ESV-R4

Thanks for any help

And DO NOT ASK who calls their machines localhost or internal - i don't even 
want to know.

---
Ing. Christian Melbinger
Netzwerk  Security

WienIT EDV Dienstleistungsgesellschaft mbH  Co KG
A-1030 Wien, Thomas-Klestil-Platz 6
tel: +43 (1) 90405 47188
fax: +43 (1) 90405 88 47188
mailto:christian.melbin...@wienit.at




WienIT EDV Dienstleistungsgesellschaft mbH  Co KG, A-1030 Wien, 
Thomas-Klestil-Platz 6,
FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824
Persönlich haftender Gesellschafter:
WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6,
FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: block ddns by name

2012-02-16 Thread Tom Schmitt 
 Von: Tony Finch d...@dotat.at

  Does anyone know if there is a way to prevent the creation of certain
  records - by name?
 
   update-policy {
   deny * name internal.example.com;
   # ...
   };

Hi,

I have a quite similar question but can't figure it out from the doc for 
update-policy:

I have a few DHCP-clients which are sending really stupid hostnames to the DHCP 
and via DHCP they got into my DNS zones.

Example: A few IP-phones are sending as their hostname eight times xFF. And 
this not printable name is then in DNS where I (and a few older nameserver) 
don't want it.

So is there something possible like
update-policy { deny * name /^a-zA-Z0-9_\-/; };
?

(For thos who don't speak regex: deny all names with something in it what is no 
letter or digit or underscore or dash.

Tom.


-- 
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users