Brad Olin wrote:
> On Sat, 15 May 2004 19:07:06 -0400, Jeff Breitner <usenet@rudn.com>
> wrote:

> Ummm... Except that it is valid for those same verizon users to look up
> a domain that his dns server is authoritative of. So you can't just
> blindly drop them by address range and port. Well, unless the op has a
> caching only dns server.


If they are dial-up, then it's a safe bet that the radius auth session
gave them Verizon DNS servers to use. They wouldn't be looking anything
up at his nameservers, Verizon's nameservers would be doing that and
passing the look-up along to their clients. I'd be really surprised if
Verizon has those nameservers even remotely close in IP space to the
radius assigned nameserver. Therefore, and as I indicated in my
previous post, he could IPTABLE them with the only bad effects limited
to the Verizon users within the IP space he blocked. And even then, it
would be those that are running their own nameservers (assuming Verizon
didn't have the radius assigned nameservers within the blocked space --
so he wouldn't want to block an entire /16). And really, the only
people capable of trying to send bad update information would be those
running their own nameservers.

Unfortunately, the offending single user probably would shift around the
assigned address, so IPTABLE would be an action of last resort.

--

WWJD? JWRTFM
Rot13 for email address: yvfgf @ ehqa.pbz