AW: block ddns by name
Hi Thank you, i think this will do the trick... just have to make sure if the dhcp uses signed updates or by ip - because it only works with signed updates. I think it's by ip, since there's no such key config in dhcpd.conf :( Thanks! --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -Ursprüngliche Nachricht- Von: Tony Finch [mailto:fa...@hermes.cam.ac.uk] Im Auftrag von Tony Finch Gesendet: Donnerstag, 16. Februar 2012 14:37 An: Melbinger Christian Cc: bind-users@lists.isc.org Betreff: Re: block ddns by name Melbinger Christian christian.melbin...@wienit.at wrote: Does anyone know if there is a way to prevent the creation of certain records - by name? http://ftp.isc.org/isc/bind9/cur/9.7/doc/arm/Bv9ARM.ch06.html#dynamic_update_policies Based on that, something the following should do what you want: update-policy { deny * name internal.example.com; # ... }; Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Shannon: Westerly or southwesterly 5 or 6, but 4 until later in far south. Moderate or rough. Occasional rain or drizzle. Moderate or good. WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: block ddns by name
On Feb 16, 2012, at 7:22 AM, Tom Schmitt wrote: Von: Tony Finch d...@dotat.at Does anyone know if there is a way to prevent the creation of certain records - by name? update-policy { deny * name internal.example.com; # ... }; Hi, I have a quite similar question but can't figure it out from the doc for update-policy: I have a few DHCP-clients which are sending really stupid hostnames to the DHCP and via DHCP they got into my DNS zones. Example: A few IP-phones are sending as their hostname eight times xFF. And this not printable name is then in DNS where I (and a few older nameserver) don't want it. So is there something possible like update-policy { deny * name /^a-zA-Z0-9_\-/; }; ? (For thos who don't speak regex: deny all names with something in it what is no letter or digit or underscore or dash. Does a check-names policy achieve this? I'm honestly not sure. BTW: _ is not a valid hostname character. And your regex needs brackets: /[^a-zA-Z0-9_-]/ But no, update-policy doesn't support regular expressions. Regards, Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
block ddns by name
Hi Does anyone know if there is a way to prevent the creation of certain records - by name? Basically I want to prevent the creation of localhost and internal on my internal zone. (looks like SAP has a problem if there is a localhost A-rec pointing to another ip than 127.0.0.1) (and MS AD if there is any internal.internal.mycompany.com A-rec) As a workaround I could create a localhost-entry pointing to 127.0.0.1 and set dhcp to not overwrite any record. But this would not help with the internal rec, because such one simply must not exist. Config: Clients are not allowed to perform any ddns updates, the dhcp performs these. So I could filter in dhcp or bind Currently running: BIND 9.7.3-P3 DHCP 3.1-ESV-R3 Soon upgrading to: BIND 9.7.4-P1 DHCP 4.1-ESV-R4 Thanks for any help And DO NOT ASK who calls their machines localhost or internal - i don't even want to know. --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: block ddns by name
Von: Tony Finch d...@dotat.at Does anyone know if there is a way to prevent the creation of certain records - by name? update-policy { deny * name internal.example.com; # ... }; Hi, I have a quite similar question but can't figure it out from the doc for update-policy: I have a few DHCP-clients which are sending really stupid hostnames to the DHCP and via DHCP they got into my DNS zones. Example: A few IP-phones are sending as their hostname eight times xFF. And this not printable name is then in DNS where I (and a few older nameserver) don't want it. So is there something possible like update-policy { deny * name /^a-zA-Z0-9_\-/; }; ? (For thos who don't speak regex: deny all names with something in it what is no letter or digit or underscore or dash. Tom. -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users