diff --git a/matrix/synapse/README.md b/matrix/synapse/README.md
index 5b4969e..29743f0 100644
--- a/matrix/synapse/README.md
+++ b/matrix/synapse/README.md
@@ -147,7 +147,7 @@ Logging is configured in `log.yaml`. Some logging should go to systemd, the
 more specific logging to Synapse's own logfile(s).
 
 
-# Delegation and DNS {#Delegation}
+## Delegation and DNS {#Delegation}
 
 If you run your server under a different FQDN than just the domain name you
 want to use, you need to delegate: point from your domain to the server.
@@ -180,3 +180,37 @@ Very important: both names (example.com and matrix.example.com) must be A
 and/or AAAA records in DNS, not CNAME.
 
 See [nginx](../nginx) for details about how to publish this data.
+
+
+## Blacklists
+
+You don't want Synapse to try to contact certain IP-addresses, especially not
+those that are unroutable or for special uses. Add these addresses to `ip_range_blacklist`,
+in `conf.d/ip_range_blacklist.yaml`:
+
+```
+ip_range_blacklist:
+  - '127.0.0.0/8'
+  - '10.0.0.0/8'
+  - '172.16.0.0/12'
+  - '192.168.0.0/16'
+  - '100.64.0.0/10'
+  - '192.0.0.0/24'
+  - '169.254.0.0/16'
+  - '192.88.99.0/24'
+  - '198.18.0.0/15'
+  - '192.0.2.0/24'
+  - '198.51.100.0/24'
+  - '203.0.113.0/24'
+  - '224.0.0.0/4'
+  - '::1/128'
+  - 'fe80::/10'
+  - 'fc00::/7'
+  - '2001:db8::/32'
+  - 'ff00::/8'
+  - 'fec0::/10'
+```
+
+You want to add addresses of malicious or otherwise unwanted machines to this
+list too. See [Synapse's documentation](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html?highlight=ip_range_blacklist#ip_range_blacklist)
+for more information.