Disable Refused answer
Barry Margolin
barmar at alum.mit.edu
Sat Dec 5 10:40:46 UTC 2009
In article <mailman.1194.1259925918.14796.bind-users at lists.isc.org>,
Chris Thompson <cet1 at cam.ac.uk> wrote:
> On Dec 3 2009, Bill Larson wrote:
>
> [...]
> >Then again, I've never been sure what the original requester was asking
> >for. If he didn't want to give an answer out to someone on a particular
> >network, then the "blackhole" option would seem to be a perfect solution in
> >the first place.
>
> | blackhole
> |
> | Specifies a list of addresses that the server will not accept
> | queries from or use to resolve a query. [...]
> ^^^^^^^^^^^^^^^^^^^^^^^^^
>
> So it's not suitable for blocking out large chunks of the external world
> which may contain nameservers you need to to do recursive lookups.
>
> [It's never been entirely clear to me why these functions have to be
> combined, especially given that "server [ipaddr/len] {bogus yes;};"
> can be used to block outgoing queries.]
I think it's for backwards compatibility with the old BIND 4.x blackhole
option. I don't think 4.x had anything analogous to the bogus server
option, all you could do was blackhole individual IPs in both directions.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
More information about the bind-users
mailing list