Blacklisting private address range
John Wobus
jw354 at cornell.edu
Fri Feb 26 17:50:44 UTC 2010
On Feb 26, 2010, at 9:54 AM, Diosney Sarmiento Herrera wrote:
> Hi!
>
> Sorry for the delay.
>
> It was very useful for me. Thanks!
>
> In our nameserver we do not apply the bogon filter to the bogus
> addresses because it will change with time and we not know how update
> them automatically.
>
> My question is that if it is useful to blacklist the private address
> range(this addresses never change with time ;) ) so our nameserver
> will
> never respond queries from this addresses.
>
> I ask if this is usefull because the private address range don't have
> meaning of sense in Internet.
>
> Thanks!
>
> --
> Diosney
Re discarding queries from private space that came from the Internet:
Many sites would handle this at the routing level so as to protect
more than just
bind, and to allow you to make use of private space within your own
network.
An access list on a router interface would assure none of your own
network
receives packets from private space that actually originated outside
your network.
An app like bind can't sort out whether the packet with a source
address in
private space came from your own network or came from the Internet at
large.
But if you've arranged things so this bind instance never receives
traffic
from your own private space (e.g. if you aren't even using private
space),
then you could certainly add such filtering to bind's normal access
list.
John
More information about the bind-users
mailing list