Prev-20 Home Next-20 8 msg Forwarding environment questions 1 msg BIND 9.5 libxml dependecy 1 msg how to check if bind is compliled with the dlz ... 4 msg bind crash with max-cache-size 1 msg BIND 9.5 stats 4 msg dnssec-keygen + Bind 9.4.2 RC2 Blackhole for incoming queries only \ Chris Thompson (20 Nov 2007) . \ Erik Freitag (21 Nov 2007) 2 msg Change nameserver's ips 2 msg Need info about dns client 2 msg High processor windows 2003 64 bit 2 msg turn off notifies for internal view? 10 msg unable to get a nslookup on windows client 2 msg why can't resolved 3 msg Can't resolve some domians 4 msg fresh installation is hosed... 3 msg Enable logging for a single zone in BIND 8.2.3? 5 msg after delegation 1 msg dns_rdata_fromtext: buffer-0xb7f1ab44:1: near e... 6 msg Bind 8.4.7-P1 on Solaris 8 2 msg Re: Resend: BIND 9.4.2 Release Candidate 2 is n... Prev-20 Home Next-20

Prev-Msg Prev-Thread Bind-users Nov-2007 Next-Thread Next-Msg Subject: Blackhole for incoming queries only Group: Bind-users From: Chris Thompson Date: 20 Nov 2007 Over the last couple of years we've been locking down our recursive nameservers with increasing severity. By now, allow-query and allow-recursion block everything outside the university networks, so such host always get a REFUSED response. That doesn't stop there being quite a few of them that go on generating substantial numbers of requests (shown up by query logging). I had wondered whether it would make sense to move from refusing to ignoring, by specifying options { ... blackhole { ...; !ournets; any; }; // hard to get negated ACLs right! ... }; But this turns out to be a supremely bad idea, because "blackhole" not only stops BIND accepting queries _from_ those addresses - it also stops it sending queries _to_ them. And of course most nameservers in the world are not in "ournets" ... Any ideas on how to achieve the desired effect? -- Chris Thompson Email: cet1 Prev-Msg Prev-Thread Bind-users Nov-2007 Next-Thread Next-Msg

© 2004-2008 readlist.com