blockhole'd IP receiving referral?

Jeff Lightner jlightner at
Sat Dec 19 14:09:07 UTC 2009

allow-recursion { internaldns; externaldns; };
        blackhole { blackhats; };

Works for me. 

The acls internaldns and externaldns are specific networks/IPs we allow
to do recursion.  (Everyone can do lookups for domains for which we are
authoritative but not recursion.)  The acl blackhats is IPs/networks
we've seen hitting us over and over and impacted CPU load.

However, even though BIND dropped the queries rather than responding and
the above blackhole worked tcpdump showed they continue to try so I went
ahead and added DROP statements for those to my iptables config just to
drop them at the kernel level.

-----Original Message-----
From: at
[ at] On Behalf
Of Chris Buxton
Sent: Friday, December 18, 2009 5:33 PM
To: lconrad at
Cc: bind-users at
Subject: Re: blockhole'd IP receiving referral?

On Dec 18, 2009, at 12:33 PM, Len Conrad wrote:
> bind 9.6.1-P1
> named-checkconf /etc/namedb/named.conf
> ... ok
> (in global options)
> options {
> allow-recursion {  mynets; }        ;
> blackhole       { !mynets; }        ;
> };

I could be wrong, but wouldn't that be:

blackhole	{ ! mynets; any; };

? To my understanding, without the "any" item, the ACL doesn't match
anything at all - no IP is blackholed.

Of course, if you blackhole anything not local, your server will not be
able to recurse out to the Internet - blackhole applies to the sending
of queries in addition to the receiving of queries. I believe you will
need to settle for "allow-query" instead of "blackhole". Something like

options {
	allow-query { mynets; };

Again, I could be wrong, but I don't think allow-recursion is needed in
this case.

Chris Buxton
Professional Services
Men & Mice

bind-users mailing list
bind-users at
Proud partner. Susan G. Komen for the Cure.
Please consider our environment before printing this e-mail or attachments.
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.

More information about the bind-users mailing list