Deny query from a single IP

Jeff Lightner jlightner at
Thu Feb 26 16:38:57 UTC 2009

That being said you CAN do what you asked:

Create an ACL in named.conf:

# Blackhats ACL - zones to be used in blackhole statement - will prevent

# them from being allowed to query and will not respond to them.
acl "blackhats" {

(Where you put the specific IP in place of the xx.xx.xx.xx.)

Then in options section add a line to use the ACL:
        blackhole { blackhats; };

-----Original Message-----
From: bind-users-bounces at
[mailto:bind-users-bounces at] On Behalf Of Eric C. Davis
Sent: Thursday, February 26, 2009 11:24 AM
To: prana9533 at
Cc: bind-users at
Subject: Re: Deny query from a single IP

It is better do this with a real IPS rather than use your DNS server to 
do this.  You should avoid having any unwanted traffic hit you DNS 
servers ever.

Prabhat Rana wrote:
> Hello,
> I have BIND 9.5running on a Solaris10 box. It provides recursive DNS
service. I'm trying to implement a script where it reads the BIND stats
file for all the incoming queries and if there are too many queries from
a single user (source IP) it will block queries from that particular IP.
In order for this to occur is there a parameter similar to allow-query
that I can inject into the named.conf to block query from a single IP
address when this condition occurs? Basically I'm trying to add a tool
to detect potential DOS attacks where we see too many queries from one
single IP. Any other suggestions would also be appreciated.
> Thanks
> Prabhat.
> _______________________________________________
> bind-users mailing list
> bind-users at

bind-users mailing list
bind-users at
Please consider our environment before printing this e-mail or attachments.
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.

More information about the bind-users mailing list