BIND sending quesries to 127.0.0.2?

Mark Andrews Mark_Andrews at isc.org
Wed Mar 7 20:44:48 UTC 2007 

> On Thu, Mar 01, 2007 at 09:52:52AM -0800, Wiley Sanders wrote:
> > Thanks for the reply. Of course, nothing prevents anyone from handing
> > out 127.0.0.2 in an NS record. (Except for good manners.) I should
> > have thought of that. Right now,  I get a timeout when I dig for
> > relays.ordb.com, which is what should happen. Perhaps they stopped
> > giving out 127.0.0.2 as their IP only a few days ago, and it's still
> > cached.
> > 
> > I need to reread the RFC and figure out whether I need to convince the
> > people running my routers that 127.0.0.2 is not a routable IP address.
> > Solaris, and probably a lot of other OS, will route everything on
> > 127./8 except 127.0.0.1 via the default route. For now, I can
> > blackhole all of 127 easily enough on each host. In fact for a host
> > standing al alone on the net, that's probably a good thing to add to
> > the list of post configuration things to do.
> 
> On my recursive Nameservers i block (reject) all outgoing traffic to
> non-assigned and RFC1918 (i.e. "bogus") spaces. That way the process
> does not have to wait for a timeout to occur, it will get an immediate
> 'you are not allowed to go there' answer from the OS. In my case linux
> netfilter gives an EPERM for the syscall, not sure what Solaris would do
> though.

	Solaris will silently accept the packets.  This is a known
	issue and Sun are aware if it.  This also impacts on IPv6
	when there is no external IPv6 connectivity.  Solaris's
	sendto() and sendmsg() don't return a error code when there
	is no route to the destination.

	EPERM is really not the right error code.

> Nowadays most router vendors impose a rate limit on the amount of ICMP
> messages they spit out as generating those is generally considered a cpu
> intensive task that may eventually clog the management processor so i
> blocking this traffic just where it is generated is both most effective
> and fastest i think.
> 
> The downside of this method is that you need to check for updates on those
> bogon-lists [1] regularly in order not to keep some little countries new
> to the internet out of the loop or even piss off big broadband ISPs that
> get assigned space from these ranges. There have been huge discussion
> threads on this issue on various networker lists so you can google for
> it if you need different angles of view on this.
> 
> The Cymru bogon list is also part of their 'Secure BIND Template' [2]
> where they put those ranges into the blackhole statement, one more place
> where you can throw away this crap and spare some cpu cycles.
> 
> 
> 	Stefan
> 
> [1] http://www.cymru.com/Bogons/index.html
> [2] http://www.cymru.com/Documents/secure-bind-template.html
> -- 
> Stewart's Law: Its easier to beg for forgiveness than to get permission.
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list