blocking resolving for 10.X.X.X addresses

Mark_Andrews at Mark_Andrews at
Fri Oct 25 22:24:08 UTC 2002

> >>>>> "Steve" == Steve Foster <fosters at> writes:
>     Steve> we have found customers trying to resolv 10.X.X.X addresses
>     Steve> ( or any other private addresses), i want to block these so
>     Steve> they just get a "refused" or hostname etc.. not found...
> Configure your name server to be authoritative for the reverse zones
> for these private address ranges. And leave the zones empty, ideally
> with a very large TTL for negative caching.

	Also apply source address filters if you don't all ready
	have them on the customer facing routers.  If they are
	leaking queries for RFC 1918 reverse lookups what else are
	they leaking.  Preferably those filters should only allow
	out traffic from the address ranges they are assigned though
	if they are multi-homed there may be other addresses.

	This not only stops leaked traffic.  It also stops forged

Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at

More information about the bind-users mailing list