In article <[email protected]>,
Chris Thompson <[email protected]> wrote:
> On Dec 3 2009, Bill Larson wrote:
>
> [...]
> >Then again, I've never been sure what the original requester was asking
> >for. If he didn't want to give an answer out to someone on a particular
> >network, then the "blackhole" option would seem to be a perfect solution in
> >the first place.
>
> | blackhole
> |
> | Specifies a list of addresses that the server will not accept
> | queries from or use to resolve a query. [...]
> ^^^^^^^^^^^^^^^^^^^^^^^^^
>
> So it's not suitable for blocking out large chunks of the external world
> which may contain nameservers you need to to do recursive lookups.
>
> [It's never been entirely clear to me why these functions have to be
> combined, especially given that "server [ipaddr/len] {bogus yes;};"
> can be used to block outgoing queries.]
I think it's for backwards compatibility with the old BIND 4.x blackhole
option. I don't think 4.x had anything analogous to the bogus server
option, all you could do was blackhole individual IPs in both directions.
--
Barry Margolin, [email protected]
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
