From 22aa753e8c87a628a6b2e3c11db5cd563239681f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Thu, 26 Feb 2026 17:13:04 +0100 Subject: [PATCH] Expand blackhole description Clarify the behavior of negated addresses within the `blackhole` statement to prevent common configuration misunderstandings. (cherry picked from commit 2b23c7011e0b6f2a2deaca17eb90c34386bb027d) --- doc/arm/reference.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 06d0befb62..fa7782c505 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -3066,6 +3066,18 @@ for details on how to specify IP address lists. from or or cannot use to resolve a query. Queries from these addresses are not responded to. The default is ``none``. + When configuring this list, note that BIND evaluates Access Control Lists + sequentially (first match wins). A common misconception is that the directive + ``!address;`` blocks everything except that address. In reality, it only + explicitly exempts ``address`` from the blackhole; all other IP addresses + reach the end of the list without matching, meaning they are also not + blackholed. + + To successfully blackhole all traffic *except* specific addresses, you must + explicitly catch the remaining traffic with ``any;`` at the end of the list. + For example: ``!address; any;`` + + .. namedconf:statement:: no-case-compress :tags: server :short: Specifies a list of addresses that require case-insensitive compression in responses.