Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Reverse DNS Lookup

Status
Not open for further replies.
someone6162

someone6162

IS-IT--Management
Jun 10, 2006
10
CA
Is there a way to block "reverse" DNS lookups while still allowing "foward" DNS lookups?

"Forward" DNS Lookup: returns the IP given a domain name (allow this)

"Reverse" DNS Lookup: returns the domain name given an IP (don't allow this!)

It's simply because I provide internet service to some tenants, some of which like to snoop around and ping things for the hell of it (which my ISP doesn't like). I've blocked pings on the network, and would like to know if it's possible to block "reverse" DNS lookups also.
 
Sort by date Sort by votes
you could do this.. but you need a local dns server..

have everyone point to the local dns box, and then make the local dns box the SOA for the 0.0.0.0/0 subnet..

since nothing is in your local table, they can't reverse anything..


i'd do 2 servers for redundancy, and then just blocking dns out to the inet except for your 2 dns boxes..


BuckWeet
 
Upvote 0 Downvote
do you have a dns server on site ? if so cnat you apply an acl to only allow your dns server to make requests to the isp disallow any other device through and the clients would have to make there requests to the local dns server.
 
Upvote 0 Downvote
Well, I don't "officially" have a DNS server onsite. But, what I do is get my router to relay the DNS requests. I did this by using the "IP dns server spoofing" command.

Can I still prevent reverse DNS lookups?
 
Upvote 0 Downvote
I suspect that this is more work than is needed for something that they can work around with a 5 second google - eg, google for 'Reverse DNS lookup' and the first response is for a service which will do it for you. I suspect you don't want to block port 80 to prevent them using such services!

If they really are problematic, then change the terms of service and only give them web access through a proxy, with all other ports blocked.

Although, personally I see nothing wrong with ping, whois, nmap etc unless it's hampering other peoples access (ie, DOS). It's like walking down every street in a city looking at buildings and noting down which ones have doors open - suspicious, but not illegal.

Rand
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DarioMartin
  • Locked
  • Question
Possible DNS problem using Cisco 877
Replies
1
Views
78
DarioMartin
DarioMartin
dmourghen
  • Locked
  • Question
DNS queries with PBR
Replies
0
Views
65
dmourghen
dmourghen
ttrsux
  • Locked
  • Question
Force certain DNS or IP requests to use a different gateway
Replies
3
Views
89
ttrsux
ttrsux
rwgs811
  • Locked
  • Question
Reverse DNS on IOS
Replies
1
Views
77
brianinms
brianinms
HopnDude
  • Locked
  • Question
Subnet to Subnet cannot join Domain. DNS forwarding issue?
Replies
1
Views
51
imbadatthis
imbadatthis

Part and Inventory Search

Sponsor

Back
Top