Questions about "bogon" ACL entries to be added
O'Neil,Kevin
oneil at oclc.org
Mon Jan 7 21:20:03 UTC 2002
I was looking at the excellent document "Secure BIND Template v3.2" written
by Rob Thomas
(http://www.cymru.com/~robt/Docs/Articles/secure-bind-template.html). In
particular the "bogon" ACL that defines IP addresses to not respond to, for
security reasons.
I was checking class A addresses against ARIN's whois database
(http://www.arin.net/cgi-bin/whois.pl) and the in-addr.arpa file at
ftp://rs.arin.net/inaddr/inaddr.zone.
My thinking is that if a class A address is not delegated by the root
servers and is not in a large BGP table (say from
http://www.telstra.net/ops/bgp/bgp-active.html) then that address should be
one included in the bogon ACL even though ARIN's database indicates that the
address has been delegated to some entity.
A couple of examples are:
14.0.0.0/8; //NET-PDN; not in in-addr.arpa zone and not in BGP table
48.0.0.0/8; //NET-PRUBACHE; not in in-addr.arpa zone and not in BGP table
Should those (and several others) be added to the "bogon" ACL?
Also there are a couple of class B addresses mentioned in RFC 2544 that seem
to be reserved for test networks:
198.18.0.0/16; //NETBLK-NDTL;
198.19.0.0/16; //NETBLK-NDTL;
Shouldn't those be candidates for "bogon"?
Finally, there are 16 reserved class C addresses in the 192 range
(NET-RESERVED-192*). Those too?
Thanks...
...Kevin O'Neil
More information about the bind-users
mailing list