Queries to DNS Blackholes don't respond

Darcy Kevin (FCA) kevin.darcy at fcagroup.com
Wed Apr 18 20:35:25 UTC 2018 

Sorry, but the "that's what they're there for" argument is often misapplied to justify reckless, irresponsible or just plain unauthorized use of resources, and I think this is an example of that.

The AS112 project (https://www.as112.net/), who collectively run those "blackhole" servers, set them up to answer queries that leak out *unintentionally*. RFC 6303, among other documents, makes it quite clear that DNS operators SHOULD define the RFC 1918 zones, and zones associated with reverse-IPv6 and other "special" address ranges, locally, either explicitly or by using the built-in mechanisms of the DNS software, in order to *prevent* those queries leaking out and having to be answered by the AS112 servers. Your attitude of "I'll just use the AS112 servers because that's what they're there for" amounts to *abusing* resources -- that in most cases are provided by volunteers -- that was set up to help protect the Internet DNS infrastructure from misconfiguration and/or deliberate assault. Please do the right and responsible thing. Don't be part of the problem.

Having said that, if, out of idle curiosity, you want to know why you're not getting answers from your closest AS112 Anycast node, I'd start by looking at the problem from the routing perspective. Anycast routing can be tricky sometimes (in my case, a traceroute shows a path going directly from our border router through some ALTER.NET hops, but your mileage may vary). Or maybe the operator of that node is having a problem with their nameserver. Another possibility is that an intermediate IPS (Intrusion Prevention System or Service), or firewall, is configured to drop your query packets or the responses (RFC 6305 focuses on that particular scenario, although its main recommendation for mitigation is to not send the queries to the AS112 servers in the first place).

						- Kevin



-----Original Message-----
From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of Roberto Carna
Sent: Wednesday, April 18, 2018 11:31 AM
To: bind-users at lists.isc.org
Subject: Re: Queries to DNS Blackholes don't respond

Dear people, I know the best way is to make in-addr.arpa local zones in my BIND.

But also I think the BLACKHOLE SERVERS can be used, because they were created for this reason.: respond to RFC 1918 networks queries.

So why the BLACKHOLE servers don't respond anymore ? Just one time I could get a responde from them.

Regards!!!

2018-04-18 11:53 GMT-03:00 /dev/rob0 <rob0 at gmx.co.uk>:
> On Wed, Apr 18, 2018 at 11:44:27AM -0300, Roberto Carna wrote:
>> Dear, I have impelmented a BIND9 server. It works OK, but some days 
>> ago an application failed because it needed to resolve the reverse of 
>> some IP addresses from range 10.x.x.x, and they waited for a long 
>> time and failed, because they need a NXDOMAIN fast response.
>>
>> I don't want to make a local zone 10.IN-ADDR.ARPA,
>
> You don't need to.  See the "built-in empty zones" section of the BIND 
> 9 ARM, chapter 6.
>
>> because I want to
>> use the two public nameservers from Internet:
>>
>> BLACKHOLE-1.IANA.ORG (192.175.48.6)
>> BLACKHOLE-2.IANA.ORG (192.175.48.42)
>
> What??  Why?  Those are not supposed to be used.  BIND now includes 
> empty zones for all RFC 1918 and other reserved netblocks which 
> shouldn't ever appear on the open Internet.
>
> If you use some of these networks inside your organization, you can 
> have authoritative zones for the corresponding in-addr.arpa zones.
>
> [snip]
>> Is it OK that I do? Are blackholes servers useful for this purpose ?
>
> Not at all.  That's why we have the automatic empty zones.  Sadly, 
> many distributors are not aware of the feature, so they distribute 
> named.conf with kludges.
> --
>   http://rob0.nodns4.us/
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list