Jump to content

Blackhole server

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Dcirovic (talk | contribs) at 07:47, 3 February 2016 (Reverted 1 edit by 75.170.247.218 identified as test/vandalism using STiki). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Blackhole DNS servers are DNS servers that return a "nonexistent address" answer to reverse DNS lookups for addresses reserved for private use.

Background

RFC 1918 reserves several ranges of network addresses for use on private network in IPv4:

  • 10.0.0.0 – 10.255.255.255
  • 172.16.0.0 – 172.31.255.255
  • 192.168.0.0 – 192.168.255.255

Even though traffic to or from these addresses should never appear on the public Internet, it is not uncommon for such traffic to appear anyway. Some servers are configured (usually for logging reasons) to perform a reverse DNS lookup on clients' IP address. If the server encounters a packet originating from an RFC 1918 address, it may try performing such a lookup on that address. This causes unnecessary network traffic and may also impair the functionality of the server (because the query would go unanswered and the server would have to wait for the query to time out).

Role

To deal with this problem, IANA has set up three special DNS servers called "blackhole servers". Currently the blackhole servers are:

  • blackhole-1.iana.org
  • blackhole-2.iana.org
  • prisoner.iana.org

These servers are registered in the DNS directory as the authoritative servers for the reverse lookup zone of the RFC 1918 addresses. These servers are configured to answer any query with a "nonexistent address" answer. This helps to reduce wait times because the (negative) answer is given immediately and thus no wait for a timeout is necessary. Additionally, the answer returned is also allowed to be cached by recursive DNS servers. This is especially helpful because a second lookup for the same address performed by the same node would probably be answered from the local cache instead of querying the authoritative servers again. This helps reduce the network load significantly. According to IANA, the blackhole servers receive thousands of queries every second.

Because the load on the IANA blackhole servers became very high, an alternative service, AS112, has been created, mostly run by volunteer operators.

AS112

The AS112 project is a group of volunteer name server operators joined in an autonomous system. They run anycasted instances of the name servers that answer reverse DNS lookups for private network and link-local addresses sent to the public Internet. These queries are ambiguous by their nature, and can not be answered correctly. Providing negative answers reduces the load on the public DNS infrastructure.

History

Before 2001, the in-addr.arpa zones for the RFC 1918 networks were delegated to a single instance of name servers, blackhole-1.iana.org and blackhole-2.iana.org, called the blackhole servers. The IANA-run servers were under increasing load from improperly-configured NAT networks, leaking out reverse DNS queries, also causing unnecessary load on the root servers. The decision was made by a small subset of root server operators to run the reverse delegations using a model as described in RFC 3258; each announcing the network using the autonomous system number of 112. Later the group of volunteers has grown to include many other organizations. An alternative approach using DNAME redirection was adopted by the IETF in May 2015 as RFC 7534 (obsoleting RFC 6304) and RFC 7535.

Answered zones

The name servers participating in the AS112 project are each configured to answer authoritatively for the following zones:

  • For the 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 private networks (RFC 1918):
    • 10.in-addr.arpa
    • 16.172.in-addr.arpa
    • 17.172.in-addr.arpa
    • 18.172.in-addr.arpa
    • 19.172.in-addr.arpa
    • 20.172.in-addr.arpa
    • 21.172.in-addr.arpa
    • 22.172.in-addr.arpa
    • 23.172.in-addr.arpa
    • 24.172.in-addr.arpa
    • 25.172.in-addr.arpa
    • 26.172.in-addr.arpa
    • 27.172.in-addr.arpa
    • 28.172.in-addr.arpa
    • 29.172.in-addr.arpa
    • 30.172.in-addr.arpa
    • 31.172.in-addr.arpa
    • 168.192.in-addr.arpa
  • For the 169.254.0.0/16 link-local network (RFC 3927)
    • 254.169.in-addr.arpa
  • For unique identification purposes:
    • hostname.as112.net
  • The IANA abuse faq which contains information about the blackhole servers.
  • AS112 web page
  • RSSAC Meeting Atlanta 2002 Notes describing RFC 1918 network queries impact on the root servers.
  • Mailing list for AS112 operators.
  • RFC 7534 - AS112 Nameserver Operations
  • RFC 7535 - AS112 Redirection Using DNAME
  • RFC 6305 - I'm Being Attacked by PRISONER.IANA.ORG!