allow-recursion { internaldns; externaldns; }; blackhole { blackhats; };
Works for me. The acls internaldns and externaldns are specific networks/IPs we allow to do recursion. (Everyone can do lookups for domains for which we are authoritative but not recursion.) The acl blackhats is IPs/networks we've seen hitting us over and over and impacted CPU load. However, even though BIND dropped the queries rather than responding and the above blackhole worked tcpdump showed they continue to try so I went ahead and added DROP statements for those to my iptables config just to drop them at the kernel level. -----Original Message----- From: bind-users-bounces+jlightner=water....@lists.isc.org [mailto:bind-users-bounces+jlightner=water....@lists.isc.org] On Behalf Of Chris Buxton Sent: Friday, December 18, 2009 5:33 PM To: lcon...@go2france.com Cc: bind-users@lists.isc.org Subject: Re: blockhole'd IP receiving referral? On Dec 18, 2009, at 12:33 PM, Len Conrad wrote: > bind 9.6.1-P1 > > named-checkconf /etc/namedb/named.conf > ... ok > > (in global options) > > options { > allow-recursion { mynets; } ; > blackhole { !mynets; } ; > }; I could be wrong, but wouldn't that be: blackhole { ! mynets; any; }; ? To my understanding, without the "any" item, the ACL doesn't match anything at all - no IP is blackholed. Of course, if you blackhole anything not local, your server will not be able to recurse out to the Internet - blackhole applies to the sending of queries in addition to the receiving of queries. I believe you will need to settle for "allow-query" instead of "blackhole". Something like this: options { allow-query { mynets; }; }; Again, I could be wrong, but I don't think allow-recursion is needed in this case. Chris Buxton Professional Services Men & Mice _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. ---------------------------------- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. ---------------------------------- _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users