On Fri, Apr 09, 2010 at 11:41:09PM -0400, Alex wrote: ... > Ah,. I was expecting it to be a lot more involved than that, I guess. ...
It is. Do not expect to implement ANYTHING involving a "bogon" list without it requiring CONSTANT MAINTENANCE. The Bogon list as it is today has shrunk greatly from what it started out with. IPv4 addresses are constantly being allocated off, requiring that they be removed from the Bogon list. Many years ago a network on which I'm still working was allocated a set of IP addresses that was STILL [due to clerical oversight] on the Bogon list. Too many were still blocking it even after it came off that list. To this VERY DAY there are people blocking it who will not update their lists. I strongly recommend that anyone wanting some degree of security use look at the lists of IPv4 networks in RFC 5735/6/7 and the list of IPv6 networks in RFC 5156. Decide which of those networks you want to block or blackhole. For any other networks, you may want to do something that flags you if they appear on either part of a query. But, for the love of all that may be holy in DNS, do NOT NOT NOT blackhole a network that is in the bogon list just because it is not YET allocated!!!!! -- /*********************************************************************\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*********************************************************************/ _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users