Blocking private addresses with a optionq

Kevin Darcy kcd at
Thu Mar 14 18:56:50 UTC 2013

On 3/14/2013 6:29 AM, Tony Finch wrote:
> King, Harold Clyde (Hal) <hck at> wrote:
>> Is there an option for bind like the allow-recursion { <network-acl> }
>> For blocking out going records of and so I could do a view like:
> I'm not sure what you mean by "blocking out going records" but there are a
> couple of options that might do what you want:
> There is the "blackhole" acl which makes named ignore all requests and
> never send queries to a particular address range.
> There is the server ... { bogus yes; }; clause which stops named from
> sending queries to a particular address range.
I think he wants to strip addresses (A and/or AAAA) of certain ranges 
from his outgoing responses. Circa BIND 9.7-ish, there used to be a 
focused way to do this (deny-answer-addresses?), but I think the more 
"modern" way to accomplish the same thing is with RPZ.

             - Kevin

More information about the bind-users mailing list