This service imports public IP blocklists to keep abusive traffic away from the resolver. One of them, the crowd-sourced blocklist_de feed, carried entries inside Google's published crawler range. Imported verbatim twice a day, it told the firewall to drop Googlebot at layer 4, before nginx could log anything. The site stayed fully reachable for visitors while Search Console impressions bent toward zero.

What changed

  • Crawler-gated logging: nginx now writes a dedicated log for search-bot User-Agents only, so crawler traffic is visible without logging normal visitors.
  • Identity verification: a small script checks every logged crawler IP by forward-confirmed reverse DNS, the method the search operators themselves document.
  • Exempt, not whitelist: an nftables set, rebuilt automatically from nine official crawler IP feeds, cancels only the imported-blocklist drops. Rate limits and behavioural guards still apply to every packet, so a forged crawler address buys nothing.
  • Feed decommissioned: the offending crowd-sourced feed was disabled, as recorded on the server info page.

The full writeup

The complete account, from the flat Search Console graph to the recovery, is published as a runbook: When Your Blocklist Bans Googlebot. It includes the nginx configuration, the verification script, and the full exempt-set updater, ready to use on any service that imports blocklists.