BIND sending quesries to 127.0.0.2?
s.schmidt--bind at mcbone.net
Wed Mar 7 14:07:16 UTC 2007
On Thu, Mar 01, 2007 at 09:52:52AM -0800, Wiley Sanders wrote:
> Thanks for the reply. Of course, nothing prevents anyone from handing
> out 127.0.0.2 in an NS record. (Except for good manners.) I should
> have thought of that. Right now, I get a timeout when I dig for
> relays.ordb.com, which is what should happen. Perhaps they stopped
> giving out 127.0.0.2 as their IP only a few days ago, and it's still
> I need to reread the RFC and figure out whether I need to convince the
> people running my routers that 127.0.0.2 is not a routable IP address.
> Solaris, and probably a lot of other OS, will route everything on
> 127./8 except 127.0.0.1 via the default route. For now, I can
> blackhole all of 127 easily enough on each host. In fact for a host
> standing al alone on the net, that's probably a good thing to add to
> the list of post configuration things to do.
On my recursive Nameservers i block (reject) all outgoing traffic to
non-assigned and RFC1918 (i.e. "bogus") spaces. That way the process
does not have to wait for a timeout to occur, it will get an immediate
'you are not allowed to go there' answer from the OS. In my case linux
netfilter gives an EPERM for the syscall, not sure what Solaris would do
Nowadays most router vendors impose a rate limit on the amount of ICMP
messages they spit out as generating those is generally considered a cpu
intensive task that may eventually clog the management processor so i
blocking this traffic just where it is generated is both most effective
and fastest i think.
The downside of this method is that you need to check for updates on those
bogon-lists  regularly in order not to keep some little countries new
to the internet out of the loop or even piss off big broadband ISPs that
get assigned space from these ranges. There have been huge discussion
threads on this issue on various networker lists so you can google for
it if you need different angles of view on this.
The Cymru bogon list is also part of their 'Secure BIND Template' 
where they put those ranges into the blackhole statement, one more place
where you can throw away this crap and spare some cpu cycles.
Stewart's Law: Its easier to beg for forgiveness than to get permission.
More information about the bind-users