Blackholing / Load help

McLaughlin, Scott scottm at
Wed Nov 30 01:06:44 UTC 2005

Yes, this is exactly what I meant, you explained it much better then I did.
We have only tested this in BIND 9.3.0 

We were attempting blackhole some huge spaces as an experiment, but found
that this block isn't just for incoming traffic querying the server.  If a
root server falls in that range the BIND server is un-able to talk to that
root server anymore as well.  

-----Original Message-----
From: bind-users-bounce at [mailto:bind-users-bounce at] On Behalf
Of Dan Foster
Sent: Tuesday, November 29, 2005 4:32 PM
To: comp-protocols-dns-bind at
Subject: Re: Blackholing / Load help

In article <dmirft$1c7b$1 at>, Mark Andrews <Mark_Andrews at>
>> Also seperately did anyone know that you can not put a CIDR less the 
>> /9 in the blackhole list?  If you do bind immediatly throws SERVFAIL 
>> on any query you try to make from any IP.
> 	I can't parse the above.  An example would help.

I think he's saying that if you specify, e.g.:

acl abusers {

options {
	blackhole { abusers; };

(Where you want to block any queries from IPv4 netblock resulting in such a behavior where *any* host querying the
nameserver, from *any* IP, is getting stopped by a SERVFAIL response.

But only if the ACL is for /8, /7, /6, ... /1.

That'd be an interesting issue if it holds true. I haven't personally seen
this one, but then again, I don't believe I currently blackhole on anything
larger than a /24 or so.

Mr. McLaughlin (the original poster), is this an accurate summary?

Also, Mr. McLaughlin, what BIND version do you see this behavior, please?

More information about the bind-users mailing list