Blacklisting private address range

Bill Larson wllarso at swcp.com
Fri Feb 26 16:53:40 UTC 2010


Diosney Sarmiento Herrera <diosney.s at gmail.com> said:

>   In our nameserver we do not apply the bogon filter to the bogus
> addresses because it will change with time and we not know how update
> them automatically.
> 
>   My question is that if it is useful to blacklist the private address
> range(this addresses never change with time ;) ) so our nameserver will
> never respond queries from this addresses.
> 
>   I ask if this is usefull because the private address range don't have
> meaning of sense in Internet.

Your definition of what the Internet "is" and mine differs.  My network uses 
addresses in the private IP space and is connected to the Internet using 
NAT.  So, to me, the private address range DOES have a meaning in terms of 
the Internet.

That being said, if you have no reason to accept DNS queries from sources 
with IP addresses in the private address space, then sure, put them in 
the "blackhole" option statement and your server will never respond to them.

One problem with having a large number of "allowed" and/or "disallowed" ACLs 
in your "named.conf" file is that comparing source addresses against these 
ACLs does take away resources from your server.  Implementing everything in 
the "Secure BIND Template" (back when they included the "bogon" ACLS - sorry 
I haven't reviewed this for a while) took it's toll on the server that I was 
testing with.  This WAS a fair while back and the server wasn't that 
powerful, but...  For me, at the time, the decrease in performance due to a 
large list of "bogon" addresses was deemed acceptable.

Now, I think that the commonly accepted "Best Current Practice" is to block 
Internet traffic based upon the source IP address at your router rather than 
trying to control this at the application level.  But, if you don't have the 
ability to do this at the router, then as a simple option it can be done at 
the application level.

Bill Larson



More information about the bind-users mailing list