blockhole'd IP receiving referral?
Chris Buxton
cbuxton at menandmice.com
Fri Dec 18 22:33:22 UTC 2009
On Dec 18, 2009, at 12:33 PM, Len Conrad wrote:
> bind 9.6.1-P1
>
> named-checkconf /etc/namedb/named.conf
> ... ok
>
> (in global options)
>
> options {
> allow-recursion { mynets; } ;
> blackhole { !mynets; } ;
> };
I could be wrong, but wouldn't that be:
blackhole { ! mynets; any; };
? To my understanding, without the "any" item, the ACL doesn't match anything at all - no IP is blackholed.
Of course, if you blackhole anything not local, your server will not be able to recurse out to the Internet - blackhole applies to the sending of queries in addition to the receiving of queries. I believe you will need to settle for "allow-query" instead of "blackhole". Something like this:
options {
allow-query { mynets; };
};
Again, I could be wrong, but I don't think allow-recursion is needed in this case.
Chris Buxton
Professional Services
Men & Mice
More information about the bind-users
mailing list