10.11 Avoiding a Bogus Name Server

In your term as name server administrator, you might find some remote name server that responds with bad information—old, incorrect, badly formatted, or even deliberately deceptive. You can attempt to find an administrator to fix the problem. Or you can save yourself some grief and configure your name server not to ask questions of this server, which is possible with BIND 4.9, BIND 8, and BIND 9.1.0 and later. Here is the configuration file statement:

server 10.0.0.2 {
	bogus yes;
};

Or, on a BIND 4.9 server:

bogusns 10.0.0.2

Of course, you fill in the correct IP address.

If you tell your name server to stop talking to a server that is the only server for a zone, don't expect to be able to look up names in that zone. Hopefully, there are other servers for that zone that can provide good information.

An even more potent way of shutting out a remote name server is to put it on your blackhole list. Your name server won't query name servers on the list and itwon't respond to their queries.^[9] blackhole is an options substatement that takes an address match list as an argument:

^[9] And we really mean won't respond. Whereas queriers disallowed by an allow-query access control list get a response back indicating that their query was refused, queries on the blackhole list get nothing back. Nada.

options { 
	
	/* Don't waste your time trying to respond to queries from RFC 1918
       private addresses */

	blackhole {
		10/8;
		172.16/12;
		192.168/16;
	};
};

This will prevent your name server from trying to respond to any queries it might receive from RFC 1918 private addresses. There are no routes on the Internet to these addresses, so trying to reply to them is a waste of CPU cycles and bandwidth.

The blackhole substatement is supported on BIND 8 versions after 8.2 and on BIND 9 after 9.1.0.