From 78beb3a71a8662f9bff6b6ae61bc2f48d09ffb70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Thu, 26 Feb 2026 17:13:04 +0100 Subject: [PATCH] Expand blackhole description Clarify the behavior of negated addresses within the `blackhole` statement to prevent common configuration misunderstandings. (cherry picked from commit 2b23c7011e0b6f2a2deaca17eb90c34386bb027d) --- doc/arm/reference.rst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 34e2490aeb..a777a268bb 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -3149,6 +3149,17 @@ for details on how to specify IP address lists. from or use to resolve a query. Queries from these addresses are not responded to. The default is ``none``. + When configuring this list, note that BIND evaluates Access Control Lists + sequentially (first match wins). A common misconception is that the directive + ``!address;`` blocks everything except that address. In reality, it only + explicitly exempts ``address`` from the blackhole; all other IP addresses + reach the end of the list without matching, meaning they are also not + blackholed. + + To successfully blackhole all traffic *except* specific addresses, you must + explicitly catch the remaining traffic with ``any;`` at the end of the list. + For example: ``!address; any;`` + .. namedconf:statement:: keep-response-order :tags: server :short: Defines an :any:`address_match_list` of addresses which do not accept reordered answers within a single TCP stream.