(no subject)

waddle1 at us.ibm.com waddle1 at us.ibm.com
Thu Aug 24 02:13:51 UTC 2000 






AFAIK, the difference is in the direction.  A blackhole causes named to
silently ignore requests coming *from* another host.  For example, I
blackhole all RFC1918 space to help shunt DOS attacks.  A bogus server is
one that named will not send requests to.  That way, if there's one server
out elsewhere in the net that is misconfigured / lying, you can isolate
yourself from them.

--D

Duane Waddle
waddle1 at us.ibm.com
"With sufficient thrust, pigs fly just fine..."  -- RFC1925


Nicolai Langfeldt <janl at math.uio.no>@usit.uio.no> on 07/23/2000 11:05:53 AM

Sent by:  News <news at usit.uio.no>


To:   comp-protocols-dns-bind at moderators.isc.org
cc:
Subject:  Bogus server vs. blackholing




Hi,

I'm trying to figure out what the difference between blackholing a
server and listing it as bogus is, i.e.,

  blackhole {
     10.10.10.10;
  };

versus

  server 10.10.10.10 {
     bogus yes;
  };

Examining the source code (BIND 8.2.2-P5) I find this in
src/bin/named/ns_forw.c, line 648:

#ifdef BOGUSNS
                        /*
                         * Don't forward queries to bogus servers.  Note
                         * that this is unlike the previous tests, which
                         * are fatal to the query.  Here we just skip the
                         * server, which is only fatal if it's the last
                         * server.  Note also that we antialias here -- all
                         * A RR's of a server are considered the same
server,
                         * and if any of them is bogus we skip the whole
                         * server.  Those of you using multiple A RR's to
                         * load-balance your servers will (rightfully) lose
                         * here.  But (unfortunately) only if they are
bogus.
                         */
                        if (ip_match_address(bogus_nameservers, nsa) > 0)
                                goto skipserver;
#endif
                        if (server_options->blackhole_acl != NULL &&
                            ip_match_address(server_options->blackhole_acl,
                                             nsa) == 1)
                                continue;


server ... { bogus yes; } statements enters servers in the
bogus_nameserver acl.  The skipserver label is right before the
closing brace of the loop so the goto is equivament to a continue.
But, the comment is the interesting bit.  It appears to say that a
bogus listed server will be "antialiased", meaning that all the
servers addresses will be equaly bogus.  I can understand this if it
was possible to enter bogus servers by name, but you can't, it's a
syntax error.  You can only enter them by IP#.  And then I can't see
how this anti-aliasing is supposed to happen?

As far as I can understand "bogus yes" is quivalent to blackholing the
server?  Any other suggestions?

Thanks,
  Nicolai

More information about the bind-users mailing list