Blackhole for incoming queries only
Chris Thompson
cet1 at hermes.cam.ac.uk
Tue Nov 20 14:57:18 UTC 2007
Over the last couple of years we've been locking down our recursive
nameservers with increasing severity. By now, allow-query and
allow-recursion block everything outside the university networks,
so such host always get a REFUSED response. That doesn't stop
there being quite a few of them that go on generating substantial
numbers of requests (shown up by query logging).
I had wondered whether it would make sense to move from refusing
to ignoring, by specifying
options { ...
blackhole { ...; !ournets; any; }; // hard to get negated ACLs right!
...
};
But this turns out to be a supremely bad idea, because "blackhole" not
only stops BIND accepting queries _from_ those addresses - it also stops
it sending queries _to_ them. And of course most nameservers in the
world are not in "ournets" ...
Any ideas on how to achieve the desired effect?
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list