Re: Blackhole for incoming queries only

8 msg	Forwarding environment questions
1 msg	BIND 9.5 libxml dependecy
1 msg	how to check if bind is compliled with the dlz ...
4 msg	bind crash with max-cache-size
1 msg	BIND 9.5 stats
4 msg	dnssec-keygen + Bind 9.4.2 RC2

Blackhole for incoming queries only
\ Chris Thompson (20 Nov 2007)
. \ Erik Freitag (21 Nov 2007)

2 msg	Change nameserver's ips
2 msg	Need info about dns client
2 msg	High processor windows 2003 64 bit
2 msg	turn off notifies for internal view?
10 msg	unable to get a nslookup on windows client
2 msg	why can't resolved
3 msg	Can't resolve some domians
4 msg	fresh installation is hosed...
3 msg	Enable logging for a single zone in BIND 8.2.3?
5 msg	after delegation
1 msg	dns_rdata_fromtext: buffer-0xb7f1ab44:1: near e...
6 msg	Bind 8.4.7-P1 on Solaris 8
2 msg	Re: Resend: BIND 9.4.2 Release Candidate 2 is n...

Subject:	Re: Blackhole for incoming queries only
Group:	Bind-users
From:	Erik Freitag
Date:	21 Nov 2007

Blackhole at the router/firewall?

On Nov 20, 2007, at 6:57 AM, Chris Thompson wrote:

> Over the last couple of years we've been locking down our recursive
> nameservers with increasing severity. By now, allow-query and
> allow-recursion block everything outside the university networks,
> so such host always get a REFUSED response. That doesn't stop
> there being quite a few of them that go on generating substantial
> numbers of requests (shown up by query logging).
>
> I had wondered whether it would make sense to move from refusing
> to ignoring, by specifying
>
> options { ...
> blackhole { ...; !ournets; any; }; // hard to get negated ACLs
> right!
> ...
> };
>
> But this turns out to be a supremely bad idea, because "blackhole" not
> only stops BIND accepting queries _from_ those addresses - it also
> stops
> it sending queries _to_ them. And of course most nameservers in the
> world are not in "ournets" ...
>
> Any ideas on how to achieve the desired effect?
>
> --
> Chris Thompson
> Email: cet1
>