Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.



Deny specific Hostnames via DDNS

Posts: 6
2165     1

We use DDNS in Infoblox for all DHCP-Clients.

In the past we had the situation that a specific client was registered with fqdn "domain.domain" because of a misconfiguration on that client (hostname = domain).

Is there any possibility to completely deny such a hostname or rewrite it ?

I checked the hostname rewrite policy, but here i can only define valid and invalid characters, not invalid strings/hostnames.

We're using Version 8.5.2.

Re: Deny specific Hostnames via DDNS

[ Edited ]
Posts: 81
2166     1

Hello Ttreusch,


While we could allow/deny specific keywords for a resource record using custom Host-name policy feature in NIOS, this applies only to Static RRs & the kind of insertion you're referring to is Dynamic. From NIOS documentation - section Host-Name policy :  


"Apply policy to dynamic updates and inbound zone transfers (requires Strict Hostname Checking setting) "


The regular expression for Strict HostName policy cannot be altered in NIOS & hence, the use-case cannot be accommodated within its ruleset. 


Indirect solution that you may consider:


If you're trying to restrict usage of specific words for a new A/Host RR's Label within a particular zone, you may consider creating a mock-up CNAME RR with this Label. For example, the word is "domain" & the zone is "", just create a new CNAME record under "" pointing to some unresolvable canonical name.


Now if someone try to resolve "" it resolves to NXDOMAIN as it would do before - so i guess no harm here & future addition attempts for A record fails since bind doesn't let you create a non-Canonical record alongside a CNAME.


I agree this can't be relied upon as a solution, but it'll do the trick. If there are many such names, you may consider a CSV import for CNAMEs with a dummy target which resolves to NXDOMAIN.


Best regards,


Re: Deny specific Hostnames via DDNS

[ Edited ]
New Member
Posts: 1
2166     1

The DHCP server can send dynamic updates to an external primary server that you specify. For each IP space, you can specify the zone to be updated and the IP address of the primary server for that zone. surveyzop

Showing results for 
Search instead for 
Did you mean: 

Recommended for You