blockhole'd IP receiving referral?

Fr34k freaknetboy at
Sat Dec 19 15:11:25 UTC 2009


Chris, I believe you are correct. That is, "blackhole applies to the sending of queries in addition to the receiving of queries".

Let me explain.

I discovered this the hard way. I had a /24 in the blackhole because it contained abusive clients. Within this /24 sat two legitimate authoritative name servers (ANS). Our clients could not get responses from these ANS servers because they were within the /24 blackhole.

The solution was to make an exception for these two ANS servers. This is fine in that the blackhole function is doing its job well!
However, we have a few /16s among our blackhole networks and to manage an exception list of legitimate ANS servers contained within will be unmanageable.

So, how to stop the abuse without impacting legitimate client queries?

I think the solution here would be to permit "allow-recursion ( mynets;)" clients to query and get responses from "blackhole ( badnets; }" networks in some way.
Does such a solution, or equivalent, exist? If so, can someone share?

Otherwise, I'll buy a case of beer for the BIND developer that builds this functionality into 9.6.x, or greater.
NOTE: I would prefer that a new type of ACL be greated for this solution. Say, call it greyhole, because blackhole does such a great job of dumping ALL traffic when needed.


----- Original Message ----
From: Chris Buxton <cbuxton at>
To: lconrad at
Cc: bind-users at
Sent: Fri, December 18, 2009 5:33:22 PM
Subject: Re: blockhole'd IP receiving referral?

On Dec 18, 2009, at 12:33 PM, Len Conrad wrote:
> bind 9.6.1-P1
> named-checkconf /etc/namedb/named.conf
> ... ok
> (in global options)
> options {
> allow-recursion {  mynets; }        ;
> blackhole       { !mynets; }        ;
> };

I could be wrong, but wouldn't that be:

blackhole    { ! mynets; any; };

? To my understanding, without the "any" item, the ACL doesn't match anything at all - no IP is blackholed.

Of course, if you blackhole anything not local, your server will not be able to recurse out to the Internet - blackhole applies to the sending of queries in addition to the receiving of queries. I believe you will need to settle for "allow-query" instead of "blackhole". Something like this:

options {
    allow-query { mynets; };

Again, I could be wrong, but I don't think allow-recursion is needed in this case.

Chris Buxton
Professional Services
Men & Mice

bind-users mailing list
bind-users at

More information about the bind-users mailing list