Re: Blacklisting private address range

Tony Finch Wed, 24 Feb 2010 08:26:37 -0800

On Wed, 24 Feb 2010, Stephane Bortzmeyer wrote:
> On Tue, Feb 23, 2010 at 09:56:55PM -0500,
>  Diosney Sarmiento Herrera <diosne...@gmail.com> wrote:
>
> > Have any sense to blacklist the private address ranges on a server
> > that is facing Internet?
>
> I am not sure I parse your sentence correctly but may be you refer to
> the "Rebinding prevention feature" which appeared in 9.7.0?
>
> deny-answer-addresses { 10.0.0.0/8; }
> deny-answer-addresses { 172.16.0.0/12; }
> deny-answer-addresses { 192.168.0.0/16; }


We also do the following to stop BIND from trying to talk to name servers
in bogon address space:

server 0.0.0.0/8        { bogus yes; };
server 10.0.0.0/8       { bogus yes; };
server 127.0.0.0/8      { bogus yes; };
server 169.254.0.0/16   { bogus yes; };
server 172.16.0.0/12    { bogus yes; };
server 192.0.0.0/24     { bogus yes; };
server 192.0.2.0/24     { bogus yes; };
server 192.168.0.0/16   { bogus yes; };
server 198.18.0.0/15    { bogus yes; };
server 198.51.100.0/24  { bogus yes; };
server 203.0.113.0/24   { bogus yes; };
server 224.0.0.0/3      { bogus yes; };

Tony.
-- 
f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
MODERATE OR GOOD.
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Blacklisting private address range

Reply via email to