BIND problem

Corey Edwards tensai at
Fri Sep 23 10:19:43 MDT 2005

On Fri, 2005-09-23 at 09:41 -0600, Michael Torrie wrote:
> On Thu, 2005-09-22 at 16:13 -0600, Corey Edwards wrote:
> > I'm doing that for a few zones, actually. The one caveat is that
> > will *not* work. Generally speaking, that
> > shouldn't be a problem.
> I've figured out a way to do what I want to do.  This is a horrible
> abuse of DNS, but it works.  Basically I run the * domain,
> but I also host a few sites like and
> that are coming from my DMZ.  The problem is that
> from inside my private network, due to translation issues, I cannot
> directly access the outside IP address that maps to the private ip
> address of the server inside my DMZ.  So in order to give access to
> these sites for my users inside my private network, I have to intercept
> DNS requests for theses sites and return the private IP address instead
> of the public on.  So I ended up setting up an authoritative zone file
> for each of my hosted sites with just one entry in it. For example:
> $TTL 10800      ; 3 hours
>      IN SOA (
>                                 1        ; serial
>                                 10800      ; refresh (3 hours)
>                                 3600       ; retry (1 hour)
>                                 604800     ; expire (1 week)
>                                 3600       ; minimum (1 hour)
>                                 )
>                         NS
> $TTL 10800      ; 3 hours
>      IN      A
> This pretends that is actually a DNS domain in its own
> right, but with only itself as the sole ip address in this domain.
> I have to make a separate zone for each of my hosted sites, but that's
> not too bad.  Anything that is * passes through just fine, even
> * or *

Sounds just like the problem I was having which prompted me to figure
this out. It's been working fine for many months, so I expect it'll work
fine for you too.

> Thanks for suggesting this idea.  With a little modification it works
> well for me.  If you wanted to block you could probably
> do something similar.

I want to block *all* of /. and in fact I have been. I went /. free cold
turkey and I highly recommend it to everyone.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : 

More information about the PLUG mailing list