Blacklisting private address range

Diosney Sarmiento Herrera diosney.s at gmail.com
Fri Feb 26 20:18:36 UTC 2010


Hi, Bill!

   Actually, we have the same point of view of the term "Internet",
because I'm in the same situation than you: I'm in a private network
that is conected to Internet trough NAT. I just misused the term, I had
to have used the term "public newtork" and not "Internet".

   In my private network I use an internal nameserver that forwards all
the "non-internal-domain" queries to an external nameserver(forwarder).
The question that I have made is referred to the forwarder nameserver.

   I agree with all of your proposals and solutions, and I think that
the best thing for us is to do that you recommend at the end: filter the
traffic of private addresses in the IP layer and not in the application
one. 

-- 
          Diosney



On Fri, 2010-02-26 at 09:53 -0700, Bill Larson wrote: 
> Diosney Sarmiento Herrera <diosney.s at gmail.com> said:
> 
> >   In our nameserver we do not apply the bogon filter to the bogus
> > addresses because it will change with time and we not know how update
> > them automatically.
> > 
> >   My question is that if it is useful to blacklist the private address
> > range(this addresses never change with time ;) ) so our nameserver will
> > never respond queries from this addresses.
> > 
> >   I ask if this is usefull because the private address range don't have
> > meaning of sense in Internet.
> 
> Your definition of what the Internet "is" and mine differs.  My network uses 
> addresses in the private IP space and is connected to the Internet using 
> NAT.  So, to me, the private address range DOES have a meaning in terms of 
> the Internet.
> 
> That being said, if you have no reason to accept DNS queries from sources 
> with IP addresses in the private address space, then sure, put them in 
> the "blackhole" option statement and your server will never respond to them.
> 
> One problem with having a large number of "allowed" and/or "disallowed" ACLs 
> in your "named.conf" file is that comparing source addresses against these 
> ACLs does take away resources from your server.  Implementing everything in 
> the "Secure BIND Template" (back when they included the "bogon" ACLS - sorry 
> I haven't reviewed this for a while) took it's toll on the server that I was 
> testing with.  This WAS a fair while back and the server wasn't that 
> powerful, but...  For me, at the time, the decrease in performance due to a 
> large list of "bogon" addresses was deemed acceptable.
> 
> Now, I think that the commonly accepted "Best Current Practice" is to block 
> Internet traffic based upon the source IP address at your router rather than 
> trying to control this at the application level.  But, if you don't have the 
> ability to do this at the router, then as a simple option it can be done at 
> the application level.
> 
> Bill Larson




More information about the bind-users mailing list