Implementing the bogon list
Joseph S D Yao
jsdy at tux.org
Sat Apr 10 05:08:16 UTC 2010
On Fri, Apr 09, 2010 at 11:41:09PM -0400, Alex wrote:
...
> Ah,. I was expecting it to be a lot more involved than that, I guess.
...
It is. Do not expect to implement ANYTHING involving a "bogon" list
without it requiring CONSTANT MAINTENANCE.
The Bogon list as it is today has shrunk greatly from what it started
out with. IPv4 addresses are constantly being allocated off, requiring
that they be removed from the Bogon list.
Many years ago a network on which I'm still working was allocated a set
of IP addresses that was STILL [due to clerical oversight] on the Bogon
list. Too many were still blocking it even after it came off that list.
To this VERY DAY there are people blocking it who will not update their
lists.
I strongly recommend that anyone wanting some degree of security use
look at the lists of IPv4 networks in RFC 5735/6/7 and the list of IPv6
networks in RFC 5156. Decide which of those networks you want to block
or blackhole.
For any other networks, you may want to do something that flags you if
they appear on either part of a query. But, for the love of all that
may be holy in DNS, do NOT NOT NOT blackhole a network that is in the
bogon list just because it is not YET allocated!!!!!
--
/*********************************************************************\
**
** Joe Yao jsdy at tux.org - Joseph S. D. Yao
**
\*********************************************************************/
More information about the bind-users
mailing list