Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Queries to DNS Blackholes don't respond
183 views
Skip to first unread message
Roberto Carna
Apr 18, 2018, 10:44:35 AM4/18/18
to bind-...@lists.isc.org
Dear, I have impelmented a BIND9 server. It works OK, but some days
ago an application failed because it needed to resolve the reverse of
some IP addresses from range 10.x.x.x, and they waited for a long time
and failed, because they need a NXDOMAIN fast response.
I don't want to make a local zone 10.IN-ADDR.ARPA, because I want to
use the two public nameservers from Internet:
BLACKHOLE-1.IANA.ORG (192.175.48.6)
BLACKHOLE-2.IANA.ORG (192.175.48.42)
When I query these DNS's from my console from the BIND server, and
from any host I have available here, the result is this:
root@DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.6
Using domain server:
Name: 192.175.48.6
Address: 192.175.48.6#53
Aliases:
10.in-addr.arpa name server blackhole-2.iana.org.
10.in-addr.arpa name server blackhole-1.iana.org.
and finally I get the NXDOMAIN I need:
DNS:~# host -t NS 10.10.12.1 192.175.48.6
Using domain server:
Name: 192.175.48.6
Address: 192.175.48.6#53
Aliases:
Host 1.12.10.10.in-addr.arpa. not found: 3(NXDOMAIN)
Is it OK that I do? Are blackholes servers useful for this purpose ?
Thanks a lot !!!
ago an application failed because it needed to resolve the reverse of
some IP addresses from range 10.x.x.x, and they waited for a long time
and failed, because they need a NXDOMAIN fast response.
I don't want to make a local zone 10.IN-ADDR.ARPA, because I want to
use the two public nameservers from Internet:
BLACKHOLE-1.IANA.ORG (192.175.48.6)
BLACKHOLE-2.IANA.ORG (192.175.48.42)
When I query these DNS's from my console from the BIND server, and
from any host I have available here, the result is this:
root@DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.6
Using domain server:
Name: 192.175.48.6
Address: 192.175.48.6#53
Aliases:
10.in-addr.arpa name server blackhole-2.iana.org.
10.in-addr.arpa name server blackhole-1.iana.org.
and finally I get the NXDOMAIN I need:
DNS:~# host -t NS 10.10.12.1 192.175.48.6
Using domain server:
Name: 192.175.48.6
Address: 192.175.48.6#53
Aliases:
Host 1.12.10.10.in-addr.arpa. not found: 3(NXDOMAIN)
Is it OK that I do? Are blackholes servers useful for this purpose ?
Thanks a lot !!!
Matus UHLAR - fantomas
Apr 18, 2018, 10:53:44 AM4/18/18
to bind-...@lists.isc.org
On 18.04.18 11:44, Roberto Carna wrote:
>Dear, I have impelmented a BIND9 server. It works OK, but some days
>ago an application failed because it needed to resolve the reverse of
>some IP addresses from range 10.x.x.x, and they waited for a long time
>and failed, because they need a NXDOMAIN fast response.
>I don't want to make a local zone 10.IN-ADDR.ARPA, because I want to
>use the two public nameservers from Internet:
10.* is a private IP range and noone from outside should respond it.
>Dear, I have impelmented a BIND9 server. It works OK, but some days
>ago an application failed because it needed to resolve the reverse of
>some IP addresses from range 10.x.x.x, and they waited for a long time
>and failed, because they need a NXDOMAIN fast response.
>I don't want to make a local zone 10.IN-ADDR.ARPA, because I want to
>use the two public nameservers from Internet:
You MUST configure those zones yourself, unless your provider gave them to
you - in such case ask your provider.
>BLACKHOLE-1.IANA.ORG (192.175.48.6)
>BLACKHOLE-2.IANA.ORG (192.175.48.42)
>Is it OK that I do? Are blackholes servers useful for this purpose ?
respond.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
/dev/rob0
Apr 18, 2018, 10:53:47 AM4/18/18
to bind-...@lists.isc.org
On Wed, Apr 18, 2018 at 11:44:27AM -0300, Roberto Carna wrote:
> Dear, I have impelmented a BIND9 server. It works OK, but some days
> ago an application failed because it needed to resolve the reverse of
> some IP addresses from range 10.x.x.x, and they waited for a long time
> and failed, because they need a NXDOMAIN fast response.
>
> I don't want to make a local zone 10.IN-ADDR.ARPA,
You don't need to. See the "built-in empty zones" section of the
> Dear, I have impelmented a BIND9 server. It works OK, but some days
> ago an application failed because it needed to resolve the reverse of
> some IP addresses from range 10.x.x.x, and they waited for a long time
> and failed, because they need a NXDOMAIN fast response.
>
> I don't want to make a local zone 10.IN-ADDR.ARPA,
BIND 9 ARM, chapter 6.
> because I want to
> use the two public nameservers from Internet:
>
> BLACKHOLE-2.IANA.ORG (192.175.48.42)
What?? Why? Those are not supposed to be used. BIND now includes
empty zones for all RFC 1918 and other reserved netblocks which
shouldn't ever appear on the open Internet.
If you use some of these networks inside your organization, you can
have authoritative zones for the corresponding in-addr.arpa zones.
[snip]
> Is it OK that I do? Are blackholes servers useful for this purpose ?
Not at all. That's why we have the automatic empty zones. Sadly,
many distributors are not aware of the feature, so they distribute
named.conf with kludges.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Roberto Carna
Apr 18, 2018, 10:56:54 AM4/18/18
to bind-...@lists.isc.org
Sorry, after query succesfully the DNS Blackholes, I repeat the
command and the same servers couldn't be reached anymore:
DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.6
;; connection timed out; no servers could be reached
DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.42
;; connection timed out; no servers could be reached
I don't know why the DNS Blackholes don't respond always.....I
continue quering the DNS Blackholes and they can't be reached
anymore....why ?
Thanks a lot again.
2018-04-18 11:44 GMT-03:00 Roberto Carna <roberto...@gmail.com>:
> Dear, I have impelmented a BIND9 server. It works OK, but some days
> ago an application failed because it needed to resolve the reverse of
> some IP addresses from range 10.x.x.x, and they waited for a long time
> and failed, because they need a NXDOMAIN fast response.
>
> I don't want to make a local zone 10.IN-ADDR.ARPA, because I want to
command and the same servers couldn't be reached anymore:
DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.6
;; connection timed out; no servers could be reached
DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.42
;; connection timed out; no servers could be reached
I don't know why the DNS Blackholes don't respond always.....I
continue quering the DNS Blackholes and they can't be reached
anymore....why ?
Thanks a lot again.
2018-04-18 11:44 GMT-03:00 Roberto Carna <roberto...@gmail.com>:
> Dear, I have impelmented a BIND9 server. It works OK, but some days
> ago an application failed because it needed to resolve the reverse of
> some IP addresses from range 10.x.x.x, and they waited for a long time
> and failed, because they need a NXDOMAIN fast response.
>
> use the two public nameservers from Internet:
>
> BLACKHOLE-1.IANA.ORG (192.175.48.6)
> BLACKHOLE-2.IANA.ORG (192.175.48.42)
>
>
> BLACKHOLE-1.IANA.ORG (192.175.48.6)
> BLACKHOLE-2.IANA.ORG (192.175.48.42)
>
> When I query these DNS's from my console from the BIND server, and
> from any host I have available here, the result is this:
>
> root@DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.6
> Using domain server:
> Name: 192.175.48.6
> Address: 192.175.48.6#53
> Aliases:
>
> 10.in-addr.arpa name server blackhole-2.iana.org.
> 10.in-addr.arpa name server blackhole-1.iana.org.
>
> and finally I get the NXDOMAIN I need:
>
> DNS:~# host -t NS 10.10.12.1 192.175.48.6
> Using domain server:
> Name: 192.175.48.6
> Address: 192.175.48.6#53
> Aliases:
>
> Host 1.12.10.10.in-addr.arpa. not found: 3(NXDOMAIN)
>
> from any host I have available here, the result is this:
>
> root@DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.6
> Using domain server:
> Name: 192.175.48.6
> Address: 192.175.48.6#53
> Aliases:
>
> 10.in-addr.arpa name server blackhole-2.iana.org.
> 10.in-addr.arpa name server blackhole-1.iana.org.
>
> and finally I get the NXDOMAIN I need:
>
> DNS:~# host -t NS 10.10.12.1 192.175.48.6
> Using domain server:
> Name: 192.175.48.6
> Address: 192.175.48.6#53
> Aliases:
>
> Host 1.12.10.10.in-addr.arpa. not found: 3(NXDOMAIN)
>
> Is it OK that I do? Are blackholes servers useful for this purpose ?
>
> Thanks a lot !!!
>
Roberto Carna
Apr 18, 2018, 11:30:45 AM4/18/18
to bind-...@lists.isc.org
Dear people, I know the best way is to make in-addr.arpa local zones in my BIND.
But also I think the BLACKHOLE SERVERS can be used, because they were
created for this reason.: respond to RFC 1918 networks queries.
So why the BLACKHOLE servers don't respond anymore ? Just one time I
could get a responde from them.
Regards!!!
2018-04-18 11:53 GMT-03:00 /dev/rob0 <ro...@gmx.co.uk>:
> On Wed, Apr 18, 2018 at 11:44:27AM -0300, Roberto Carna wrote:
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
But also I think the BLACKHOLE SERVERS can be used, because they were
created for this reason.: respond to RFC 1918 networks queries.
So why the BLACKHOLE servers don't respond anymore ? Just one time I
could get a responde from them.
Regards!!!
2018-04-18 11:53 GMT-03:00 /dev/rob0 <ro...@gmx.co.uk>:
> On Wed, Apr 18, 2018 at 11:44:27AM -0300, Roberto Carna wrote:
>> Dear, I have impelmented a BIND9 server. It works OK, but some days
>> ago an application failed because it needed to resolve the reverse of
>> some IP addresses from range 10.x.x.x, and they waited for a long time
>> and failed, because they need a NXDOMAIN fast response.
>>
>> I don't want to make a local zone 10.IN-ADDR.ARPA,
>
>> ago an application failed because it needed to resolve the reverse of
>> some IP addresses from range 10.x.x.x, and they waited for a long time
>> and failed, because they need a NXDOMAIN fast response.
>>
>> I don't want to make a local zone 10.IN-ADDR.ARPA,
>
> You don't need to. See the "built-in empty zones" section of the
> BIND 9 ARM, chapter 6.
>
> BIND 9 ARM, chapter 6.
>
>> because I want to
>> use the two public nameservers from Internet:
>>
>> BLACKHOLE-1.IANA.ORG (192.175.48.6)
>> BLACKHOLE-2.IANA.ORG (192.175.48.42)
>
>> use the two public nameservers from Internet:
>>
>> BLACKHOLE-1.IANA.ORG (192.175.48.6)
>> BLACKHOLE-2.IANA.ORG (192.175.48.42)
>
> What?? Why? Those are not supposed to be used. BIND now includes
> empty zones for all RFC 1918 and other reserved netblocks which
> shouldn't ever appear on the open Internet.
>
> If you use some of these networks inside your organization, you can
> have authoritative zones for the corresponding in-addr.arpa zones.
>
> [snip]
> empty zones for all RFC 1918 and other reserved netblocks which
> shouldn't ever appear on the open Internet.
>
> If you use some of these networks inside your organization, you can
> have authoritative zones for the corresponding in-addr.arpa zones.
>
> [snip]
>> Is it OK that I do? Are blackholes servers useful for this purpose ?
>
>
> Not at all. That's why we have the automatic empty zones. Sadly,
> many distributors are not aware of the feature, so they distribute
> named.conf with kludges.
> --
> http://rob0.nodns4.us/
> Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
> _______________________________________________
> many distributors are not aware of the feature, so they distribute
> named.conf with kludges.
> --
> http://rob0.nodns4.us/
> Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Mark Andrews
Apr 18, 2018, 4:32:14 PM4/18/18
to Roberto Carna, bind-...@lists.isc.org
They were created as sacrificial servers to protect the arpa servers. If you use RFC 1918 addresses you are supposed to run your own servers. Read RFC 1918 about not leaking stuff.
--
Mark Andrews
--
Mark Andrews
Darcy Kevin (FCA)
Apr 18, 2018, 4:35:37 PM4/18/18
to bind-...@lists.isc.org
Sorry, but the "that's what they're there for" argument is often misapplied to justify reckless, irresponsible or just plain unauthorized use of resources, and I think this is an example of that.
The AS112 project (https://www.as112.net/), who collectively run those "blackhole" servers, set them up to answer queries that leak out *unintentionally*. RFC 6303, among other documents, makes it quite clear that DNS operators SHOULD define the RFC 1918 zones, and zones associated with reverse-IPv6 and other "special" address ranges, locally, either explicitly or by using the built-in mechanisms of the DNS software, in order to *prevent* those queries leaking out and having to be answered by the AS112 servers. Your attitude of "I'll just use the AS112 servers because that's what they're there for" amounts to *abusing* resources -- that in most cases are provided by volunteers -- that was set up to help protect the Internet DNS infrastructure from misconfiguration and/or deliberate assault. Please do the right and responsible thing. Don't be part of the problem.
Having said that, if, out of idle curiosity, you want to know why you're not getting answers from your closest AS112 Anycast node, I'd start by looking at the problem from the routing perspective. Anycast routing can be tricky sometimes (in my case, a traceroute shows a path going directly from our border router through some ALTER.NET hops, but your mileage may vary). Or maybe the operator of that node is having a problem with their nameserver. Another possibility is that an intermediate IPS (Intrusion Prevention System or Service), or firewall, is configured to drop your query packets or the responses (RFC 6305 focuses on that particular scenario, although its main recommendation for mitigation is to not send the queries to the AS112 servers in the first place).
- Kevin
The AS112 project (https://www.as112.net/), who collectively run those "blackhole" servers, set them up to answer queries that leak out *unintentionally*. RFC 6303, among other documents, makes it quite clear that DNS operators SHOULD define the RFC 1918 zones, and zones associated with reverse-IPv6 and other "special" address ranges, locally, either explicitly or by using the built-in mechanisms of the DNS software, in order to *prevent* those queries leaking out and having to be answered by the AS112 servers. Your attitude of "I'll just use the AS112 servers because that's what they're there for" amounts to *abusing* resources -- that in most cases are provided by volunteers -- that was set up to help protect the Internet DNS infrastructure from misconfiguration and/or deliberate assault. Please do the right and responsible thing. Don't be part of the problem.
Having said that, if, out of idle curiosity, you want to know why you're not getting answers from your closest AS112 Anycast node, I'd start by looking at the problem from the routing perspective. Anycast routing can be tricky sometimes (in my case, a traceroute shows a path going directly from our border router through some ALTER.NET hops, but your mileage may vary). Or maybe the operator of that node is having a problem with their nameserver. Another possibility is that an intermediate IPS (Intrusion Prevention System or Service), or firewall, is configured to drop your query packets or the responses (RFC 6305 focuses on that particular scenario, although its main recommendation for mitigation is to not send the queries to the AS112 servers in the first place).
- Kevin
Roberto Carna
Apr 19, 2018, 9:03:54 AM4/19/18
to Darcy Kevin (FCA), bind-...@lists.isc.org
Dear Darcy, now understand what you mean.
Thanks for yor great explanation about the possible causes that
blackhole servers don't respond to me.
Thanks a lot !!!
Thanks for yor great explanation about the possible causes that
blackhole servers don't respond to me.
Thanks a lot !!!
0 new messages