Questions about "bogon" ACL entries to be added
Bill Manning
bmanning at zed.isi.edu
Mon Jan 7 21:31:14 UTC 2002
You may wish to look at:
http://www.isi.edu/~bmanning/dsua.html
On Mon, Jan 07, 2002 at 04:20:03PM -0500, O'Neil,Kevin wrote:
>
>
> I was looking at the excellent document "Secure BIND Template v3.2" written
> by Rob Thomas
> (http://www.cymru.com/~robt/Docs/Articles/secure-bind-template.html). In
> particular the "bogon" ACL that defines IP addresses to not respond to, for
> security reasons.
>
> I was checking class A addresses against ARIN's whois database
> (http://www.arin.net/cgi-bin/whois.pl) and the in-addr.arpa file at
> ftp://rs.arin.net/inaddr/inaddr.zone.
>
> My thinking is that if a class A address is not delegated by the root
> servers and is not in a large BGP table (say from
> http://www.telstra.net/ops/bgp/bgp-active.html) then that address should be
> one included in the bogon ACL even though ARIN's database indicates that the
> address has been delegated to some entity.
>
> A couple of examples are:
> 14.0.0.0/8; //NET-PDN; not in in-addr.arpa zone and not in BGP table
> 48.0.0.0/8; //NET-PRUBACHE; not in in-addr.arpa zone and not in BGP table
>
> Should those (and several others) be added to the "bogon" ACL?
>
>
> Also there are a couple of class B addresses mentioned in RFC 2544 that seem
> to be reserved for test networks:
> 198.18.0.0/16; //NETBLK-NDTL;
> 198.19.0.0/16; //NETBLK-NDTL;
>
> Shouldn't those be candidates for "bogon"?
>
>
> Finally, there are 16 reserved class C addresses in the 192 range
> (NET-RESERVED-192*). Those too?
>
> Thanks...
>
> ...Kevin O'Neil
>
More information about the bind-users
mailing list