Blacklisting private address range

Warren Kumari warren at kumari.net
Wed Feb 24 18:18:36 UTC 2010


On Feb 24, 2010, at 11:23 AM, Tony Finch wrote:

> On Wed, 24 Feb 2010, Stephane Bortzmeyer wrote:
>> On Tue, Feb 23, 2010 at 09:56:55PM -0500,
>> Diosney Sarmiento Herrera <diosney.s at gmail.com> wrote:
>>
>>> Have any sense to blacklist the private address ranges on a server
>>> that is facing Internet?
>>
>> I am not sure I parse your sentence correctly but may be you refer to
>> the "Rebinding prevention feature" which appeared in 9.7.0?
>>
>> deny-answer-addresses { 10.0.0.0/8; }
>> deny-answer-addresses { 172.16.0.0/12; }
>> deny-answer-addresses { 192.168.0.0/16; }
>
> We also do the following to stop BIND from trying to talk to name  
> servers
> in bogon address space:


Yes, but remember to be careful as to how you are using the term  
'bogon' -- some folks include things like (currently) unassigned space  
in their definition of bogon, which is fine till the space gets  
allocated, at which time hilarity ensues.


>
> server 0.0.0.0/8	{ bogus yes; };
> server 10.0.0.0/8	{ bogus yes; };
> server 127.0.0.0/8	{ bogus yes; };
> server 169.254.0.0/16	{ bogus yes; };
> server 172.16.0.0/12	{ bogus yes; };
> server 192.0.0.0/24	{ bogus yes; };
> server 192.0.2.0/24	{ bogus yes; };
> server 192.168.0.0/16	{ bogus yes; };
> server 198.18.0.0/15	{ bogus yes; };
> server 198.51.100.0/24	{ bogus yes; };
> server 203.0.113.0/24	{ bogus yes; };
> server 224.0.0.0/3	{ bogus yes; };

Ok, fair 'nuff.

W


>
> Tony.
> -- 
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
> GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY  
> SHOWERS.
> MODERATE OR GOOD.
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

--
"When it comes to glittering objects, wizards have all the taste and  
self-control of a deranged magpie."
-- Terry Pratchett







More information about the bind-users mailing list