> > The PowerDNS recursor has recently gained support for the "dont-query"
> > setting:
> >
> > The DNS is a public database, but sometimes contains delegations to privat
> e
> > IP addresses, like for example 127.0.0.1. This can have odd effects,
> > depending on your network, and may even be a security risk. Therefore, sin
> ce
> > version 3.1.5, the PowerDNS recursor by default does not query private spa
> ce
> > IP addresses. This setting can be used to expand or reduce the limitations
> .
> >
> > It defaults to blocking RFC1918 addresses.
> >
> > arg().set("dont-query", "If set, do not query these netmasks for DNS
> > data")="127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128,
> > fe80::/10";
> >
> > This has solved several odd situations with misconfigured domains listing
> > 10.0.0.1 and 127.0.0.1 as some of their nameservers.
>
> if there was an rfc that talked about this, it would be more widely
> implemented. (i'm not sure bind wouldn't follow powerdns's lead on this
> topic, but i am sure that if there was an rfc, bind would have a similar
> feature.) so the key question is, have we got consensus on the behaviour?
> (compared to consensus, finding someone to write it up is relatively easy.)
Named already has this capability.
You can use the blackhole acl or you can use multiple
server "cidr" { bogus yes; };.
server 10.0.0.0/8 { bogus yes; };
server 172.16.0.0/12 { bogus yes; };
server 192.168.0.0/16 { bogus yes; };
> _______________________________________________
> DNSOP mailing list
> [email protected]
> https://www1.ietf.org/mailman/listinfo/dnsop
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dnsop
