[Unbound-users] preventing host lookup/reply
Chris Smith
fixie at chrissmith.org
Fri Feb 18 20:46:51 UTC 2011
Specifically in this case I want to prevent wpad.<whatever> lookups.
Seems I can refuse to answer the query with:
local-zone: "wpad.<whatever>." refuse
or send effectively invalid information:
local-data: "wpad.<whatever>. A 127.0.0.1" - or via a stub-zone auth
server (nsd) method
The network in question has a mix of corporate owned and privately
owned systems, the users have full control over their privately owned
systems however they must use the local unbound cache for DNS as only
the server running unbound has egress to port 53. DHCP assigns only
this one DNS server to the internal clients.
Is one more effective than the other? Does a refusal effectively stop
further inquiries from the client? Or would it free up the client
sooner, longer or more effectively to send it the localhost address?
Is one possibly more effective against a rogue DNS server on the
network? Or against a rogue system with a hostname of wpad (maybe
advertising itself via NetBIOS - hopefully static wins entries prevent
this - or some other method)?
Thank you,
Chris
More information about the Unbound-users
mailing list