Blackholing / Load help

McLaughlin, Scott scottm at newedgenetworks.com
Wed Nov 30 01:06:44 UTC 2005


Yes, this is exactly what I meant, you explained it much better then I did.
HA
We have only tested this in BIND 9.3.0 

We were attempting blackhole some huge spaces as an experiment, but found
that this block isn't just for incoming traffic querying the server.  If a
root server falls in that range the BIND server is un-able to talk to that
root server anymore as well.  


-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On Behalf
Of Dan Foster
Sent: Tuesday, November 29, 2005 4:32 PM
To: comp-protocols-dns-bind at isc.org
Subject: Re: Blackholing / Load help

In article <dmirft$1c7b$1 at sf1.isc.org>, Mark Andrews <Mark_Andrews at isc.org>
wrote:
>   
>> Also seperately did anyone know that you can not put a CIDR less the 
>> /9 in the blackhole list?  If you do bind immediatly throws SERVFAIL 
>> on any query you try to make from any IP.
>
> 	I can't parse the above.  An example would help.

I think he's saying that if you specify, e.g.:

acl abusers {
	6/8;
}

options {
	blackhole { abusers; };
}

(Where you want to block any queries from IPv4 netblock 6.0.0.0/8)

....is resulting in such a behavior where *any* host querying the
nameserver, from *any* IP, is getting stopped by a SERVFAIL response.

But only if the ACL is for /8, /7, /6, ... /1.

That'd be an interesting issue if it holds true. I haven't personally seen
this one, but then again, I don't believe I currently blackhole on anything
larger than a /24 or so.

Mr. McLaughlin (the original poster), is this an accurate summary?

Also, Mr. McLaughlin, what BIND version do you see this behavior, please?
 
-Dan 






More information about the bind-users mailing list