Blackhole DNS
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Fri Feb 22 00:52:53 UTC 2002
>
> On Thu, Feb 21, 2002 at 09:59:49PM +0000, Martin Stewart wrote:
> > When a server is being accessed by clients with private addresses
> > (RFC1918) is it best practice to make the server's caching DNS server
> > authoritative for 10.in-addr.arpa?
>
> This shouldn't be an issue. If a server is reachable by clients with
> RFC1918 IPs, then the local nameservers should already be able to
> resolve those IPs. This is simply proper administration.
>
> Backbone routers should/would/will not route RFC1918 IPs so if you don't
> have any local IPs like that, a server should never see them, and not
> need to resolve them.
>
> > I've recently seen a problem which I claimed might have been caused by an
> > outage (or us not being able to reach) the blackhole servers at blackhole-
> > 1.iana.org and I was wondering how other people solved that issue.
>
> See above, it shouldn't be a problem. If it is, set a local nameserver
> as authoritative for those IP ranges/zones and make any caches forward
> requests for those zone/ranges to your authoritative nameservers.
> --
> Nate Campi Job: hostmaster at lycos.com and root at wired.com
>
> "Confucius say: He who play in root, eventually kill tree."
You have missed the whole point of the question. It is
irrelvent whether packet with RFC 1918 addresses are forwarded
through the Internet or not.
The "caching" server here is likely to have both a RFC 1918
address and a non RFC 1918. It will be getting queries for
the relevant parts of in-addr.arpa that correspond to the
RFC 1918 address being used. These queries should be
answered by this server (or another internal server) and NOT
looked up on the Internet.
This is the same way as 127.in-addr.arpa (0.0.127.in-addr.arpa)
should be on every caching server. It is address space private
to the host. Queries for 1.0.0.127.in-addr.arpa should be answered
locally.
For IPv6 the following should all be local along with the ip6.int
versions.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
8.e.f.ip6.arpa. 9.e.f.ip6.arpa. a.e.f.ip6.arpa. b.e.f.ip6.arpa. (link local)
c.e.f.ip6.arpa. d.e.f.ip6.arpa. e.e.f.ip6.arpa. f.e.f.ip6.arpa. (site local)
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list