Hello,
Chris, I believe you are correct. That is, "blackhole applies to the sending of
queries in addition to the receiving of queries".
Let me explain.
I discovered this the hard way. I had a /24 in the blackhole because it
contained abusive clients. Within this /24 sat two legitimate authoritative
name servers (ANS). Our clients could not get responses from these ANS servers
because they were within the /24 blackhole.
The solution was to make an exception for these two ANS servers. This is fine
in that the blackhole function is doing its job well!
However, we have a few /16s among our blackhole networks and to manage an
exception list of legitimate ANS servers contained within will be unmanageable.
So, how to stop the abuse without impacting legitimate client queries?
I think the solution here would be to permit "allow-recursion ( mynets;)"
clients to query and get responses from "blackhole ( badnets; }" networks in
some way.
Does such a solution, or equivalent, exist? If so, can someone share?
Otherwise, I'll buy a case of beer for the BIND developer that builds this
functionality into 9.6.x, or greater.
NOTE: I would prefer that a new type of ACL be greated for this solution. Say,
call it greyhole, because blackhole does such a great job of dumping ALL
traffic when needed.
Thanks.
----- Original Message ----
From: Chris Buxton <cbux...@menandmice.com>
To: lcon...@go2france.com
Cc: bind-users@lists.isc.org
Sent: Fri, December 18, 2009 5:33:22 PM
Subject: Re: blockhole'd IP receiving referral?
On Dec 18, 2009, at 12:33 PM, Len Conrad wrote:
> bind 9.6.1-P1
>
> named-checkconf /etc/namedb/named.conf
> ... ok
>
> (in global options)
>
> options {
> allow-recursion { mynets; } ;
> blackhole { !mynets; } ;
> };
I could be wrong, but wouldn't that be:
blackhole { ! mynets; any; };
? To my understanding, without the "any" item, the ACL doesn't match anything
at all - no IP is blackholed.
Of course, if you blackhole anything not local, your server will not be able to
recurse out to the Internet - blackhole applies to the sending of queries in
addition to the receiving of queries. I believe you will need to settle for
"allow-query" instead of "blackhole". Something like this:
options {
allow-query { mynets; };
};
Again, I could be wrong, but I don't think allow-recursion is needed in this
case.
Chris Buxton
Professional Services
Men & Mice
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
