IANA Blackhole Servers Ill?

Mailman List Mirror (Read Only)
1

We got some very weird compaints about applications "hanging." Tracked
it down to reverse lookups timing out. Reverse lookups to RFC1918 space.
Looks like the IANA blackhole servers for RFC1918 are not well?

   1 0.00000 207.88.152.10 -> 192.175.48.6 DNS C 52.143.18.172.in-addr.arpa. Internet PTR ?
   2 0.01375 192.175.48.6 -> 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable)
   3 0.68455 207.88.152.10 -> 192.175.48.6 DNS C 111.143.18.172.in-addr.arpa. Internet PTR ?
   4 0.00529 192.175.48.6 -> 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable)
   5 3.00417 207.88.152.10 -> 192.175.48.42 DNS C 111.143.18.172.in-addr.arpa. Internet PTR ?
   6 0.00548 192.175.48.42 -> 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable)
   7 0.68462 207.88.152.10 -> 192.175.48.42 DNS C 69.160.18.172.in-addr.arpa. Internet PTR ?
   8 0.00623 192.175.48.42 -> 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable)
   9 0.60348 207.88.152.10 -> 192.175.48.6 DNS C 52.143.18.172.in-addr.arpa. Internet PTR ?
  10 0.00523 192.175.48.6 -> 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable)

Looks like the hosts are up but not listening on 53/udp? Anyone else
seeing this? Heard about it?

(Of course, the fix is to claim authority for the RFC1918 space you are
using in your own DNS servers.)

2

To me they do answer:

; <<>> DiG 9.1.3 <<>> -t any 10.in-addr.arpa. @blackhole-1.iana.org.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20469
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;10.in-addr.arpa. IN ANY

;; ANSWER SECTION:
10.in-addr.arpa. 604800 IN SOA prisoner.iana.org. hostmaster.root-servers.org.\
                                                 2002040800 1800 900 604800 604800
10.in-addr.arpa. 604800 IN NS blackhole-1.iana.org.
10.in-addr.arpa. 604800 IN NS blackhole-2.iana.org.

;; Query time: 113 msec
;; SERVER: 192.175.48.6#53(blackhole-1.iana.org.)
;; WHEN: Fri Oct 21 23:15:39 2005
;; MSG SIZE rcvd: 162

; <<>> DiG 9.1.3 <<>> -t any 10.in-addr.arpa. @blackhole-2.iana.org.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43116
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;10.in-addr.arpa. IN ANY

;; ANSWER SECTION:
10.in-addr.arpa. 604800 IN SOA prisoner.iana.org. hostmaster.root-servers.org.\
                                                 2002040800 1800 900 604800 604800
10.in-addr.arpa. 604800 IN NS blackhole-1.iana.org.
10.in-addr.arpa. 604800 IN NS blackhole-2.iana.org.

;; Query time: 112 msec
;; SERVER: 192.175.48.42#53(blackhole-2.iana.org.)
;; WHEN: Fri Oct 21 23:15:49 2005
;; MSG SIZE rcvd: 162

Regards,
Peter and Karin Dambier

Crist Clark wrote:

3

Crist Clark wrote:

We got some very weird compaints about applications "hanging." Tracked
it down to reverse lookups timing out. Reverse lookups to RFC1918 space.
Looks like the IANA blackhole servers for RFC1918 are not well?

From my location (Comcast cable modem in LA) I can see the IANA servers, and

they are answering queries.

(Of course, the fix is to claim authority for the RFC1918 space you are
using in your own DNS servers.)

It's arguably a good idea for resolving name servers to be authoritative for
all the 1918 space, as well as the zones recommended in RFC 1912
(ftp://ftp.rfc-editor.org/in-notes/rfc1912.txt). You can set up an empty
zone file (just SOA and NS), and do something like this:

zone "10.in-addr.arpa" { type master; file "master/empty.db"; };
zone "16.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "17.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "18.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "19.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "20.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "21.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "22.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "23.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "24.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "25.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "26.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "27.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "28.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "29.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "30.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "31.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "168.192.in-addr.arpa" { type master; file "master/empty.db"; };

Any more specific zones that you add for space that you're actually using
will be effective for those blocks instead of the more generic definitions
(at least in modern versions of BIND).

hth,

Doug