Blackhole for incoming queries only
Erik Freitag
erik.freitag at pobox.com
Wed Nov 21 00:09:03 UTC 2007
Blackhole at the router/firewall?
On Nov 20, 2007, at 6:57 AM, Chris Thompson wrote:
> Over the last couple of years we've been locking down our recursive
> nameservers with increasing severity. By now, allow-query and
> allow-recursion block everything outside the university networks,
> so such host always get a REFUSED response. That doesn't stop
> there being quite a few of them that go on generating substantial
> numbers of requests (shown up by query logging).
>
> I had wondered whether it would make sense to move from refusing
> to ignoring, by specifying
>
> options { ...
> blackhole { ...; !ournets; any; }; // hard to get negated ACLs
> right!
> ...
> };
>
> But this turns out to be a supremely bad idea, because "blackhole" not
> only stops BIND accepting queries _from_ those addresses - it also
> stops
> it sending queries _to_ them. And of course most nameservers in the
> world are not in "ournets" ...
>
> Any ideas on how to achieve the desired effect?
>
> --
> Chris Thompson
> Email: cet1 at cam.ac.uk
>
More information about the bind-users
mailing list