Blackholing / Load help
Dan Foster
usenet at evilphb.org
Wed Nov 30 00:31:33 UTC 2005
In article <dmirft$1c7b$1 at sf1.isc.org>, Mark Andrews <Mark_Andrews at isc.org> wrote:
>
>> Also seperately did anyone know that you can not put a CIDR less the /9 in
>> the blackhole list? If you do bind immediatly throws SERVFAIL on any query
>> you try to make from any IP.
>
> I can't parse the above. An example would help.
I think he's saying that if you specify, e.g.:
acl abusers {
6/8;
}
options {
blackhole { abusers; };
}
(Where you want to block any queries from IPv4 netblock 6.0.0.0/8)
....is resulting in such a behavior where *any* host querying the
nameserver, from *any* IP, is getting stopped by a SERVFAIL response.
But only if the ACL is for /8, /7, /6, ... /1.
That'd be an interesting issue if it holds true. I haven't personally
seen this one, but then again, I don't believe I currently blackhole on
anything larger than a /24 or so.
Mr. McLaughlin (the original poster), is this an accurate summary?
Also, Mr. McLaughlin, what BIND version do you see this behavior, please?
-Dan
More information about the bind-users
mailing list