Blackhole option statement in BIND

Chris Buxton cbuxton at menandmice.com
Fri Nov 30 03:58:49 UTC 2007 

That would violate RFC. A name server that does not receive any  
response at all from a remote server should consider that remote  
server to be offline. This would affect the running RTT value for that  
remote server.

The blackhole statement should be used for subnets that you just plain  
never want to talk to at all.

Never consider any behavior of tinydns to be necessary correct  
according to RFC. It simply works most of the time, and for what it  
does, it (apparently) works well. (I've never actually used it - the  
setup procedure offends my sensibilities.) But by my observation,  
Prof. Bernstein has had an adversarial relationship with the standards  
and their maintainers.

Chris Buxton
Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone:   +354 412 1500
Email:   cbuxton at menandmice.com
www.menandmice.com

Men & Mice
We bring control and flexibility to network management

This e-mail and its attachments may contain confidential and  
privileged information only intended for the person or entity to which  
it is addressed. If the reader of this message is not the intended  
recipient, you are hereby notified that any retention, dissemination,  
distribution or copy of this e-mail is strictly prohibited. If you  
have received this e-mail in error, please notify us immediately by  
reply e-mail and immediately delete this message and all its attachment.



On Nov 29, 2007, at 6:31 PM, Samuel Hills wrote:

> I like the blackhole option, but, it only seems to work for the global
> options in the bind.conf file.
> Is there any way it can be used for individual zones in future  
> releases of
> BIND?
> It would be alot more useful for me that way, I could for example,  
> blackhole
> the root zone to prevent floods of invalid queries. This is the  
> behaviour in
> tinydns, I believe.
> The closest I've got to this is using the allow-query statement and  
> setting
> it to "none" to make all invalid queries that my nameservers are not
> authoritative for to return REFUSED. I want invalid queries to be  
> dropped
> completely, rather than REFUSED being sent. Having the blackhole  
> option
> available for individual zones (rather than just global) would make  
> this
> possible. I am sure there would be other good reasons to add this  
> feature
> too, for example, if you want to block certain zones from resolving  
> for
> certain people, but not all zones.
> Samuel Hills
>
>

More information about the bind-users mailing list