Blacklisting private address range

John Wobus jw354 at cornell.edu
Fri Feb 26 17:50:44 UTC 2010


On Feb 26, 2010, at 9:54 AM, Diosney Sarmiento Herrera wrote:
> Hi!
>
>  Sorry for the delay.
>
>  It was very useful for me. Thanks!
>
>  In our nameserver we do not apply the bogon filter to the bogus
> addresses because it will change with time and we not know how update
> them automatically.
>
>  My question is that if it is useful to blacklist the private address
> range(this addresses never change with time ;) ) so our nameserver  
> will
> never respond queries from this addresses.
>
>  I ask if this is usefull because the private address range don't have
> meaning of sense in Internet.
>
>  Thanks!
>
> -- 
>          Diosney


Re discarding queries from private space that came from the Internet:

Many sites would handle this at the routing level so as to protect  
more than just
bind, and to allow you to make use of private space within your own  
network.
An access list on a router interface would assure none of your own  
network
receives packets from private space that actually originated outside  
your network.
An app like bind can't sort out whether the packet with a source  
address in
private space came from your own network or came from the Internet at
large.

But if you've arranged things so this bind instance never receives  
traffic
from your own private space (e.g. if you aren't even using private  
space),
then you could certainly add such filtering to bind's normal access  
list.

John



More information about the bind-users mailing list