Problem with IANA blackhole servers

Mailman List Mirror (Read Only)
1

Hello,

I'm having a problem with the IANA blackhole DNS-Servers resolving
RFC1918 IPs.

Normally I'm getting a NXDOMAIN reply and this is reported back to the
client.

With one resolver we're getting SERVFAIL for every query instead
of NXDOMAIN.

Example:

Resolver 1 (working):

# dig @192.175.48.42 1.1.168.192.in-addr.arpa PTR

; <<>> DiG 9.2.1 <<>> @192.175.48.42 1.1.168.192.in-addr.arpa PTR
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50669
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;1.1.168.192.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
168.192.in-addr.arpa. 300 IN SOA prisoner.iana.org. hostmaster.root-servers.org. 2004051800 1800 900 604800 300

;; Query time: 11 msec
;; SERVER: 192.175.48.42#53(192.175.48.42)
;; WHEN: Tue Mar 28 13:29:57 2006
;; MSG SIZE rcvd: 119

Resolver 2 (failing):

# dig @192.175.48.42 1.1.168.192.in-addr.arpa PTR

; <<>> DiG 9.2.1 <<>> @192.175.48.42 1.1.168.192.in-addr.arpa PTR
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62187
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;1.1.168.192.in-addr.arpa. IN PTR

;; Query time: 16 msec
;; SERVER: 192.175.48.42#53(192.175.48.42)
;; WHEN: Tue Mar 28 13:21:02 2006
;; MSG SIZE rcvd: 42

So every request to resolve RFC1918 IPs with resolver #2 times out and
takes a long time to finish.

I think the reason is one of the anycast servers acting abnormal. A
trace from resolver 2 points to p80.net as provider:

[..]
4 ge0-0-pr1.AMS.router.colt.net (212.74.66.146) 14.100 ms 14.122 ms 14.096 ms
5 cr1.nl.p80.net (195.69.145.52) 14.839 ms 14.731 ms 14.123 ms
6 blackhole-2.iana.org (192.175.48.42) 14.703 ms 15.020 ms 14.861 ms

Perhaps someone on this list has a shortcut to get the server back to
normal again?

Regards,

Sebastian

2

Perhaps someone on this list has a shortcut to get the server back to
normal again?

See the following document on how to configure your own DNS servers
so you don't needlessly query external DNS servers for RFC1918 addressses.

http://www.chagreslabs.net/jmbrown/research/drafts/draft-brown-pvtipdns-01.html

3

* Sean Donelan <sean@donelan.com> [2006-03-28 21:24]:

See the following document on how to configure your own DNS servers
so you don't needlessly query external DNS servers for RFC1918 addressses.

http://www.chagreslabs.net/jmbrown/research/drafts/draft-brown-pvtipdns-01.html

The resolver is used by customers who sometimes leak RFC1918 requests
to our resolver. I already told them to resolve that network
internally, but still the IANA server is not working correctly IMHO.

I'm also thinking about routing the blackhole /24 to one of our
DNS-Servers to resolve all of the RFC1918 space locally, but that will
take a little bit more time.

BTW: No need to cc me, I read the list.

Regards,

Sebastian

4

I'm also thinking about routing the blackhole /24 to one of our
DNS-Servers to resolve all of the RFC1918 space locally, but that will
take a little bit more time.

I would suggest looking at the AS112 web site <http://www.as112.net/&gt;
for information on how to set up your own anycast DNS servers for RFC1918
addresses on your network and downstream customers.

It also has information on how to identify the contact information
for the particular AS112 RFC1918 server answering your query.

<http://public.as112.net/node/7&gt;

And the contact e-mail for the AS112 project.

<http://public.as112.net/node/9&gt;

BTW: No need to cc me, I read the list.

Ok. Teach a man to fish.

5

...

The resolver is used by customers who sometimes leak RFC1918 requests
to our resolver. I already told them to resolve that network
internally, but still the IANA server is not working correctly IMHO.

I'm also thinking about routing the blackhole /24 to one of our
DNS-Servers to resolve all of the RFC1918 space locally, but that will
take a little bit more time.

...

Just add zones 10.in-addr.arpa, 168.192.in-addr.arpa, and
{16-31}.172.in-addr.arpa to ALL of your resolving name servers, pointing
to a file that only has NS and SOA records.

Or a "* IN PTR not-a-working-address." record. :wink:

Or if you want to preserve the purity of separation of your resolvers
and authoritative name servers, do the above on one or more of your
authoritative name servers, and make them "forward only" zones on your
resolvers, pointing them to the authoritative name servers that have
been so favoured.

It takes less time than reading this mailing list! :wink:

[I have carefully removed you from the "to" list.]