Diosney Sarmiento Herrera <diosne...@gmail.com> said: > In our nameserver we do not apply the bogon filter to the bogus > addresses because it will change with time and we not know how update > them automatically. > > My question is that if it is useful to blacklist the private address > range(this addresses never change with time ;) ) so our nameserver will > never respond queries from this addresses. > > I ask if this is usefull because the private address range don't have > meaning of sense in Internet.
Your definition of what the Internet "is" and mine differs. My network uses addresses in the private IP space and is connected to the Internet using NAT. So, to me, the private address range DOES have a meaning in terms of the Internet. That being said, if you have no reason to accept DNS queries from sources with IP addresses in the private address space, then sure, put them in the "blackhole" option statement and your server will never respond to them. One problem with having a large number of "allowed" and/or "disallowed" ACLs in your "named.conf" file is that comparing source addresses against these ACLs does take away resources from your server. Implementing everything in the "Secure BIND Template" (back when they included the "bogon" ACLS - sorry I haven't reviewed this for a while) took it's toll on the server that I was testing with. This WAS a fair while back and the server wasn't that powerful, but... For me, at the time, the decrease in performance due to a large list of "bogon" addresses was deemed acceptable. Now, I think that the commonly accepted "Best Current Practice" is to block Internet traffic based upon the source IP address at your router rather than trying to control this at the application level. But, if you don't have the ability to do this at the router, then as a simple option it can be done at the application level. Bill Larson _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
