InformationBIND can be configured to ignore requests originating from specified network segments. This is accomplished by implementing the blackhole option in named.conf. It is recommended that this feature be implemented to ignore requests that originate outside of expected network segments.
By ignoring traffic that originates from unexpected networks, the server's exposure to malicious entities is reduced.
SolutionAdd a blackhole option for multicast and link local addresses, and all private RFC 1918 addresses that are not being used.
// Private RFC 1918 addresses
10/8; 192.168/16; 172.16/12;
// Link Local
No networks are blackhole'd by default.