Blacklisting private address range
Tony Finch
dot at dotat.at
Wed Feb 24 16:23:46 UTC 2010
On Wed, 24 Feb 2010, Stephane Bortzmeyer wrote:
> On Tue, Feb 23, 2010 at 09:56:55PM -0500,
> Diosney Sarmiento Herrera <diosney.s at gmail.com> wrote:
>
> > Have any sense to blacklist the private address ranges on a server
> > that is facing Internet?
>
> I am not sure I parse your sentence correctly but may be you refer to
> the "Rebinding prevention feature" which appeared in 9.7.0?
>
> deny-answer-addresses { 10.0.0.0/8; }
> deny-answer-addresses { 172.16.0.0/12; }
> deny-answer-addresses { 192.168.0.0/16; }
We also do the following to stop BIND from trying to talk to name servers
in bogon address space:
server 0.0.0.0/8 { bogus yes; };
server 10.0.0.0/8 { bogus yes; };
server 127.0.0.0/8 { bogus yes; };
server 169.254.0.0/16 { bogus yes; };
server 172.16.0.0/12 { bogus yes; };
server 192.0.0.0/24 { bogus yes; };
server 192.0.2.0/24 { bogus yes; };
server 192.168.0.0/16 { bogus yes; };
server 198.18.0.0/15 { bogus yes; };
server 198.51.100.0/24 { bogus yes; };
server 203.0.113.0/24 { bogus yes; };
server 224.0.0.0/3 { bogus yes; };
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
MODERATE OR GOOD.
More information about the bind-users
mailing list