Details
BIND can be configured to ignore requests originating from specified network segments. This is accomplished by implementing the blackhole option in named.conf. It is recommended that this feature be implemented to ignore requests that originate outside of expected network segments.
Rationale:
By ignoring traffic that originates from unexpected networks, the server’s exposure to malicious entities is reduced.
Solution
Add a blackhole option for multicast and link local addresses, and all private RFC 1918 addresses that are not being used.
blackhole {
// Private RFC 1918 addresses
10/8; 192.168/16; 172.16/12;
// Multicast
224/8;
// Link Local
169.254/16;
};
Default Value:
No networks are blackhole’d by default.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.