On 19 Dec 2009, at 16:11, Fr34k wrote:
Hello,
Chris, I believe you are correct. That is, "blackhole applies to the
sending of queries in addition to the receiving of queries".
Let me explain.
I discovered this the hard way. I had a /24 in the blackhole because
it contained abusive clients. Within this /24 sat two legitimate
authoritative name servers (ANS). Our clients could not get
responses from these ANS servers because they were within the /24
blackhole.
The solution was to make an exception for these two ANS servers.
This is fine in that the blackhole function is doing its job well!
However, we have a few /16s among our blackhole networks and to
manage an exception list of legitimate ANS servers contained within
will be unmanageable.
So, how to stop the abuse without impacting legitimate client queries?
I think the solution here would be to permit "allow-recursion
( mynets;)" clients to query and get responses from "blackhole
( badnets; }" networks in some way.
Does such a solution, or equivalent, exist? If so, can someone share?
I haven't tested this, but I think this might do what you ask for:
Remove the blackhole-statements from the config; instead add these
rules to iptables, ipfw or equivalent:
* Allow "related or established" packets to the DNS port
* Drop incomming DNS-requests from the blackhole nets
This will basically allow replies, but drop requests.
Greets,
Niobos
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
