I l@ve RuBoard Previous Section Next Section

7.14 Preventing a Name Server from Responding to DNS Traffic from Certain Networks

7.14.1 Problem

You want to prevent a name server from responding to any DNS traffic -- queries, NOTIFY messages, dynamic updates -- from certain networks.

7.14.2 Solution

List the networks in the blackhole options substatement. Any traffic the name server receives from addresses on these networks will be ignored. For example, this blackhole substatement tells the name server not to respond to queries from RFC 1918 address space:

options {
    directory "/var/named";
    blackhole {
        10/8; 172.16/12; 192.168/16;
    };
};

You might want to configure an external name server like this, to prevent it from wasting time replying to queries from private address space. Of course, this solution assumes that you don't use these networks internally.

7.14.3 Discussion

The difference between blackhole and allow-query is that a name server replies to a querier blocked by allow-query with a message indicating that its query was refused, while a name server doesn't respond at all to a querier in a list of blackholed networks.

There's a surprisingly long list of networks that name servers shouldn't respond to traffic from, because they correspond to experimental, multicast, or private address space. The excellent "Secure BIND Template," maintained by Rob Thomas, contains a blackhole substatement that includes a list of these networks.

If you go to the trouble of setting up such a complete blackhole substatement for your name servers, though, you may also want to consider configuring your border router to drop all traffic from those networks. This will protect all of your network services, not just DNS.

7.14.4 See Also

"Avoiding a Bogus Name Server" in Chapter 10 of DNS and BIND; and "The Secure BIND Template," which you can find at http://www.cymru.com/~robt/Docs/Articles/secure-bind-template.html.

    I l@ve RuBoard Previous Section Next Section