Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 07-29-2010, 11:41 AM   #1
LQ Newbie
Registered: Sep 2008
Posts: 11

Rep: Reputation: 0
Post Blocking users who are not defined in DNS record

Aloha friends!!

In our organization we use Static IP addressing scheme(Some departments have DHCP which is not related to this thread). We use Squid as proxy.

We assign each machine its IP address and make entry in our TinyDNS database, and provide those details to users, which they manually enter in their config and then access the network. We assign different range of IPs to different departments. This we consider as the "proper way" for our organization.

But we have found that lot many users are simply guessing some IPs and using them without having any entry in our DNS record. Though this works for some, most of the time we end up having IP conflicts and disorganization in our organizational allocation policy.

So, my question is, How do I block the specific IPs whose entry is not explicitly defined in our DNS record. In other word if the IP say he is is defined in our DNS, we should allow access... where as if IP does not translate to any user as it is not defined in our DNS) is not defined in our DNS we should not allow it access to our network.

I hope my friends here will be able to guide me. Thanks in advance.
Old 07-29-2010, 12:46 PM   #2
Senior Member
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
What you really need to be doing is monitoring this on your subnets. If not at the managed switch level, look into the arpwatch program. It is extremely handy for this purpose.

By default, OpenSSH enables a feature (the sshd_config directive is UseDNS) that will warn you when a forward and reverse DNS lookup does not match for a client. If you've not created a DNS rec for a particular IP, this should fire off a warning to your logs, and you can deal with it at that time.

Additionally, tcp wrappers (controlled using /etc/hosts.allow) provides a PARANOID wildcard that can allow you to act on sshd clients whose DNS/rDNS recs don't match up.

Still, if someone grabs an IP address that is registered with your DNS, this doesn't help you. Again, the answer is to start monitoring your subnets and more forcefully addressing the root cause of the problem.
Old 07-29-2010, 12:54 PM   #3
LQ Guru
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 8,778

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
I don't know if you will, if they are on the one network. If anyone is half determined, he can surely get around what you can do. dns resolves do dotted decimal, that's why blocking dotted decimal is a tricky approach. You could lose them for a while going to ipv6 in octal :-D. Can you split the thing up into departments, subnets, or levels and control access that way?
Old 08-03-2010, 04:40 AM   #4
Registered: Jul 2010
Location: usa
Distribution: ubuntu
Posts: 39

Rep: Reputation: 16
Old 08-05-2010, 06:55 PM   #5
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3548Reputation: 3548Reputation: 3548Reputation: 3548Reputation: 3548Reputation: 3548Reputation: 3548Reputation: 3548Reputation: 3548Reputation: 3548Reputation: 3548
Originally Posted by wertum View Post
Please do not make single word or line posts without explaining yourself in this forum, especially since the OP already indicated using Squid.
Old 01-30-2011, 10:50 AM   #6
LQ Newbie
Registered: Sep 2008
Posts: 11

Original Poster
Rep: Reputation: 0
This is what I'm gonna do.

Block all local IPs in Squid and selectively allow only the registered IPs. Already compiled a database{Phew}.

** We have UPSes, Biometric access devices, IP Cam, Instruments, Fire alarm(?) etc which may not be registered in our DNS. So need to be careful before blocking them.
Old 02-03-2011, 08:42 AM   #7
LQ Newbie
Registered: Feb 2011
Distribution: Red hat, Solaris, AIX, HP-UX, FreeBSD
Posts: 15

Rep: Reputation: 2
I think you should try with this acl type

acl aclname srcdom_regex [-i] \.foo\.com ...
# regex matching client name [slow]


acl good_ones srcdom_regex \.yourdomain\.com

http_access deny !good_ones

hope works for you

pd: if users changing your ip is a problem for your company, why dont you look to "arp inspection" feature on your switches.

Last edited by damade; 02-03-2011 at 09:12 AM. Reason: add a pd:
1 members found this post helpful.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
MX Record IN DNS mosharaf_linux Linux - Server 1 01-28-2010 05:36 AM
Reverse DNS: Why is the record on the datacenter DNS server instead? Swakoo Linux - Networking 2 09-20-2007 05:42 AM
Non blocking DNS lookup bzlaskar Linux - Server 4 04-10-2007 09:53 AM
DNS Website blocking Last Attacker Linux - Networking 3 10-29-2006 01:09 AM
where is PATH defined for all users? true_atlantis Linux - Newbie 7 09-02-2005 11:33 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:02 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration