blockhole'd IP receiving referral?

Chris Buxton cbuxton at menandmice.com
Fri Dec 18 22:33:22 UTC 2009


On Dec 18, 2009, at 12:33 PM, Len Conrad wrote:
> bind 9.6.1-P1
> 
> named-checkconf /etc/namedb/named.conf
> ... ok
> 
> (in global options)
> 
> options {
> allow-recursion {  mynets; }        ;
> blackhole       { !mynets; }        ;
> };

I could be wrong, but wouldn't that be:

blackhole	{ ! mynets; any; };

? To my understanding, without the "any" item, the ACL doesn't match anything at all - no IP is blackholed.

Of course, if you blackhole anything not local, your server will not be able to recurse out to the Internet - blackhole applies to the sending of queries in addition to the receiving of queries. I believe you will need to settle for "allow-query" instead of "blackhole". Something like this:

options {
	allow-query { mynets; };
};

Again, I could be wrong, but I don't think allow-recursion is needed in this case.

Chris Buxton
Professional Services
Men & Mice




More information about the bind-users mailing list