Cutting Off BIND

Previous page
Table of content
Next page

If BIND does not reduce its activity enough, you have other options for keeping the network connection from going up. You can cut off BIND from the Internet. However, you must still ensure that master servers are online long enough and often enough that the slave servers don't expire the zones.

Doing this is quite technical and can require passwords and triggering commands by command line, GUI, Web, or some other interface. If a user does not have the necessary expertise and access rights to perform this, the user will be unable to both cut off BIND and cut BIND back in. Working without a functioning name service can be quite frustrating, as can being called to help the person trying to get connected to the Net.

All the software solutions can be regulated in two ways. One way is to regulate them by timer. For example, you can cut off BIND at 6 p.m. and restore connectivity at 7 a.m. The second way to regulate it is by command. You could have whoever is the first to arrive at the office in the morning execute a set of commands to bring up BIND, and then have whoever is last to leave at night execute a set of commands to cut it off. You could even combine these methods so that anyone coming in early or staying late could override the timed commands and get DNS and the Internet connection up. Of all the ways to cut off BIND, I like the software solutions least. They're complex, and if they fail, you're the one who gets called to come in and fix them usually while you're home on a Sunday afternoon watching football.

Pulling the Plug

The simplest way to cut off BIND is by simply pulling the plug of the phone, the Ethernet connection, or the router's power supply. Disabling the connection or any other necessary equipment is similarly effective. I recommend all these methods to clients.

These methods have several advantages:

  • Documenting how they work is simple.

  • Everyone will understand how they work.

  • Anyone can cut off BIND when they come in or leave because it's simple to understand, implement, and debug, even for non-technical staff.

Killing BIND

Killing BIND has the advantage of being quite simple, but it causes the cache to die with named and all the cached RRs to be lost. However, this is not a big disadvantage. To implement it, simply run, as root, ndc stop and ndc start on your nameserver.

Packet Filter Rules

Packet filtering is mainly associated with firewalls, but it can be performed by some dedicated routers, too. If your dial-up router is capable of performing packet filtering, it can stop DNS packets and thereby stop BIND from tying up your line. Filtering packets destined to the outside world on TCP or UDP port 53 makes DNS traffic incapable of reaching the dial-up interface. Some routers can perform packet filtering, as can all the free UNIX versions (the BSDs and Linux). However, I would not recommend purchasing a firewall just to stop BIND from taking your dial-up connection up. After all, you want to save money, not spend money. A commercial firewall easily can cost much more than many years of phone bills.

You must be careful when blocking traffic. If your nameserver and router are the same box, when you filter incoming traffic, any traffic originating in named itself will not be stopped. The following is an example that works with Linux 2.2:

 # ipchains -A output -p TCP -d 0.0.0.0/0.0.0.0 53 -j REJECT # ipchains -A output -p UDP -d 0.0.0.0/0.0.0.0 53 -j REJECT

This stops traffic on port 53, TCP, and UDP with any destination address. For DNS to work again, the rules must be deleted. (Instead of showing an example of this, I'll leave it as an exercise for the reader.)

Auto-Dialing

The problem, if we are to see things in this perspective, is auto-dialing. DNS causes traffic, and the auto-dial mechanism takes the line up when you want it to be down. Disabling the auto-dial function and then hanging up the line is a good solution. The way to do this is OS/appliance dependent, but I won't get into that here.

On the other hand, when in a manual dial setting, the line easily can be taken up by a forced dial command or by simply setting the interface back to auto-dialing.

IP Routing and Interfaces

Another way, which is available on all UNIX versions and routers, is to modify the routing table or disable the external interface.

The following is a simple command to disable the external interface, Ethernet, and PPP, and disable all traffic over it:

 # ifconfig ippp0 down

However, this won't work if your auto-dialer takes the interface up on demand.

In addition, your ISDN line is probably the default router of your network. So, if you remove the default router, no network traffic will find its way to the ISDN line. The exact command to accomplish this will vary, but the following will usually do the trick:

 # route del default

Keep in mind, though, that this won't be very effective unless you also delete all the other routes leading to the ISDN line. A routing entry for the network usually is attached directly to the ISDN line, as well. This must be removed, too.

Previous page
Table of content
Next page
The Concise Guide to DNS and BIND
The Concise Guide to DNS and BIND
ISBN: 0789722739
EAN: 2147483647
Year: 1999
Pages: 183
Authors: Nicolai Langfeldt
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Cisco Voice Gateways and Gatekeepers
Mapping Hacks: Tips & Tools for Electronic Cartography
Quantitative Methods in Project Management
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy