allow-recursion { internaldns; externaldns; };
blackhole { blackhats; };
Works for me.
The acls internaldns and externaldns are specific networks/IPs we allow
to do recursion. (Everyone can do lookups for domains for which we are
authoritative but not recursion.) The acl blackhats is IPs/networks
we've seen hitting us over and over and impacted CPU load.
However, even though BIND dropped the queries rather than responding and
the above blackhole worked tcpdump showed they continue to try so I went
ahead and added DROP statements for those to my iptables config just to
drop them at the kernel level.
-----Original Message-----
From: bind-users-bounces+jlightner=water....@lists.isc.org
[mailto:bind-users-bounces+jlightner=water....@lists.isc.org] On Behalf
Of Chris Buxton
Sent: Friday, December 18, 2009 5:33 PM
To: lcon...@go2france.com
Cc: bind-users@lists.isc.org
Subject: Re: blockhole'd IP receiving referral?
On Dec 18, 2009, at 12:33 PM, Len Conrad wrote:
> bind 9.6.1-P1
>
> named-checkconf /etc/namedb/named.conf
> ... ok
>
> (in global options)
>
> options {
> allow-recursion { mynets; } ;
> blackhole { !mynets; } ;
> };
I could be wrong, but wouldn't that be:
blackhole { ! mynets; any; };
? To my understanding, without the "any" item, the ACL doesn't match
anything at all - no IP is blackholed.
Of course, if you blackhole anything not local, your server will not be
able to recurse out to the Internet - blackhole applies to the sending
of queries in addition to the receiving of queries. I believe you will
need to settle for "allow-query" instead of "blackhole". Something like
this:
options {
allow-query { mynets; };
};
Again, I could be wrong, but I don't think allow-recursion is needed in
this case.
Chris Buxton
Professional Services
Men & Mice
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Proud partner. Susan G. Komen for the Cure.
Please consider our environment before printing this e-mail or attachments.
----------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you have
received this electronic transmission in error, please reply immediately to the
sender that you have received the message in error, and delete it. Thank you.
----------------------------------
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
