Blacklisting private address range
Diosney Sarmiento Herrera
diosney.s at gmail.com
Fri Feb 26 20:18:36 UTC 2010
Hi, Bill!
Actually, we have the same point of view of the term "Internet",
because I'm in the same situation than you: I'm in a private network
that is conected to Internet trough NAT. I just misused the term, I had
to have used the term "public newtork" and not "Internet".
In my private network I use an internal nameserver that forwards all
the "non-internal-domain" queries to an external nameserver(forwarder).
The question that I have made is referred to the forwarder nameserver.
I agree with all of your proposals and solutions, and I think that
the best thing for us is to do that you recommend at the end: filter the
traffic of private addresses in the IP layer and not in the application
one.
--
Diosney
On Fri, 2010-02-26 at 09:53 -0700, Bill Larson wrote:
> Diosney Sarmiento Herrera <diosney.s at gmail.com> said:
>
> > In our nameserver we do not apply the bogon filter to the bogus
> > addresses because it will change with time and we not know how update
> > them automatically.
> >
> > My question is that if it is useful to blacklist the private address
> > range(this addresses never change with time ;) ) so our nameserver will
> > never respond queries from this addresses.
> >
> > I ask if this is usefull because the private address range don't have
> > meaning of sense in Internet.
>
> Your definition of what the Internet "is" and mine differs. My network uses
> addresses in the private IP space and is connected to the Internet using
> NAT. So, to me, the private address range DOES have a meaning in terms of
> the Internet.
>
> That being said, if you have no reason to accept DNS queries from sources
> with IP addresses in the private address space, then sure, put them in
> the "blackhole" option statement and your server will never respond to them.
>
> One problem with having a large number of "allowed" and/or "disallowed" ACLs
> in your "named.conf" file is that comparing source addresses against these
> ACLs does take away resources from your server. Implementing everything in
> the "Secure BIND Template" (back when they included the "bogon" ACLS - sorry
> I haven't reviewed this for a while) took it's toll on the server that I was
> testing with. This WAS a fair while back and the server wasn't that
> powerful, but... For me, at the time, the decrease in performance due to a
> large list of "bogon" addresses was deemed acceptable.
>
> Now, I think that the commonly accepted "Best Current Practice" is to block
> Internet traffic based upon the source IP address at your router rather than
> trying to control this at the application level. But, if you don't have the
> ability to do this at the router, then as a simple option it can be done at
> the application level.
>
> Bill Larson
More information about the bind-users
mailing list