(no subject)
waddle1 at us.ibm.com
waddle1 at us.ibm.com
Thu Aug 24 02:13:51 UTC 2000
AFAIK, the difference is in the direction. A blackhole causes named to
silently ignore requests coming *from* another host. For example, I
blackhole all RFC1918 space to help shunt DOS attacks. A bogus server is
one that named will not send requests to. That way, if there's one server
out elsewhere in the net that is misconfigured / lying, you can isolate
yourself from them.
--D
Duane Waddle
waddle1 at us.ibm.com
"With sufficient thrust, pigs fly just fine..." -- RFC1925
Nicolai Langfeldt <janl at math.uio.no>@usit.uio.no> on 07/23/2000 11:05:53 AM
Sent by: News <news at usit.uio.no>
To: comp-protocols-dns-bind at moderators.isc.org
cc:
Subject: Bogus server vs. blackholing
Hi,
I'm trying to figure out what the difference between blackholing a
server and listing it as bogus is, i.e.,
blackhole {
10.10.10.10;
};
versus
server 10.10.10.10 {
bogus yes;
};
Examining the source code (BIND 8.2.2-P5) I find this in
src/bin/named/ns_forw.c, line 648:
#ifdef BOGUSNS
/*
* Don't forward queries to bogus servers. Note
* that this is unlike the previous tests, which
* are fatal to the query. Here we just skip the
* server, which is only fatal if it's the last
* server. Note also that we antialias here -- all
* A RR's of a server are considered the same
server,
* and if any of them is bogus we skip the whole
* server. Those of you using multiple A RR's to
* load-balance your servers will (rightfully) lose
* here. But (unfortunately) only if they are
bogus.
*/
if (ip_match_address(bogus_nameservers, nsa) > 0)
goto skipserver;
#endif
if (server_options->blackhole_acl != NULL &&
ip_match_address(server_options->blackhole_acl,
nsa) == 1)
continue;
server ... { bogus yes; } statements enters servers in the
bogus_nameserver acl. The skipserver label is right before the
closing brace of the loop so the goto is equivament to a continue.
But, the comment is the interesting bit. It appears to say that a
bogus listed server will be "antialiased", meaning that all the
servers addresses will be equaly bogus. I can understand this if it
was possible to enter bogus servers by name, but you can't, it's a
syntax error. You can only enter them by IP#. And then I can't see
how this anti-aliasing is supposed to happen?
As far as I can understand "bogus yes" is quivalent to blackholing the
server? Any other suggestions?
Thanks,
Nicolai
More information about the bind-users
mailing list