Problem with IANA blackhole servers
Hello, I'm having a problem with the IANA blackhole DNS-Servers resolving RFC1918 IPs. Normally I'm getting a NXDOMAIN reply and this is reported back to the client. With one resolver we're getting SERVFAIL for every query instead of NXDOMAIN. Example: Resolver 1 (working): # dig @192.175.48.42 1.1.168.192.in-addr.arpa PTR ; <<>> DiG 9.2.1 <<>> @192.175.48.42 1.1.168.192.in-addr.arpa PTR ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50669 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;1.1.168.192.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 168.192.in-addr.arpa. 300 IN SOA prisoner.iana.org. hostmaster.root-servers.org. 2004051800 1800 900 604800 300 ;; Query time: 11 msec ;; SERVER: 192.175.48.42#53(192.175.48.42) ;; WHEN: Tue Mar 28 13:29:57 2006 ;; MSG SIZE rcvd: 119 Resolver 2 (failing): # dig @192.175.48.42 1.1.168.192.in-addr.arpa PTR ; <<>> DiG 9.2.1 <<>> @192.175.48.42 1.1.168.192.in-addr.arpa PTR ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62187 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;1.1.168.192.in-addr.arpa. IN PTR ;; Query time: 16 msec ;; SERVER: 192.175.48.42#53(192.175.48.42) ;; WHEN: Tue Mar 28 13:21:02 2006 ;; MSG SIZE rcvd: 42 So every request to resolve RFC1918 IPs with resolver #2 times out and takes a long time to finish. I think the reason is one of the anycast servers acting abnormal. A trace from resolver 2 points to p80.net as provider: [..] 4 ge0-0-pr1.AMS.router.colt.net (212.74.66.146) 14.100 ms 14.122 ms 14.096 ms 5 cr1.nl.p80.net (195.69.145.52) 14.839 ms 14.731 ms 14.123 ms 6 blackhole-2.iana.org (192.175.48.42) 14.703 ms 15.020 ms 14.861 ms Perhaps someone on this list has a shortcut to get the server back to normal again? Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) Wehret den Anfaengen: http://odem.org/informationsfreiheit/ 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Perhaps someone on this list has a shortcut to get the server back to normal again?
See the following document on how to configure your own DNS servers so you don't needlessly query external DNS servers for RFC1918 addressses. http://www.chagreslabs.net/jmbrown/research/drafts/draft-brown-pvtipdns-01.h...
* Sean Donelan <sean@donelan.com> [2006-03-28 21:24]:
See the following document on how to configure your own DNS servers so you don't needlessly query external DNS servers for RFC1918 addressses.
http://www.chagreslabs.net/jmbrown/research/drafts/draft-brown-pvtipdns-01.h...
The resolver is used by customers who sometimes leak RFC1918 requests to our resolver. I already told them to resolve that network internally, but still the IANA server is not working correctly IMHO. I'm also thinking about routing the blackhole /24 to one of our DNS-Servers to resolve all of the RFC1918 space locally, but that will take a little bit more time. BTW: No need to cc me, I read the list. Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) Wehret den Anfaengen: http://odem.org/informationsfreiheit/ 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
On Tue, 28 Mar 2006, Sebastian Wiesinger wrote:
I'm also thinking about routing the blackhole /24 to one of our DNS-Servers to resolve all of the RFC1918 space locally, but that will take a little bit more time.
I would suggest looking at the AS112 web site <http://www.as112.net/> for information on how to set up your own anycast DNS servers for RFC1918 addresses on your network and downstream customers. It also has information on how to identify the contact information for the particular AS112 RFC1918 server answering your query. <http://public.as112.net/node/7> And the contact e-mail for the AS112 project. <http://public.as112.net/node/9>
BTW: No need to cc me, I read the list.
Ok. Teach a man to fish.
On Tue, Mar 28, 2006 at 09:34:59PM +0200, Sebastian Wiesinger wrote: ...
The resolver is used by customers who sometimes leak RFC1918 requests to our resolver. I already told them to resolve that network internally, but still the IANA server is not working correctly IMHO.
I'm also thinking about routing the blackhole /24 to one of our DNS-Servers to resolve all of the RFC1918 space locally, but that will take a little bit more time. ...
Just add zones 10.in-addr.arpa, 168.192.in-addr.arpa, and {16-31}.172.in-addr.arpa to ALL of your resolving name servers, pointing to a file that only has NS and SOA records. Or a "* IN PTR not-a-working-address." record. ;-) Or if you want to preserve the purity of separation of your resolvers and authoritative name servers, do the above on one or more of your authoritative name servers, and make them "forward only" zones on your resolvers, pointing them to the authoritative name servers that have been so favoured. It takes less time than reading this mailing list! ;-) [I have carefully removed you from the "to" list.] -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
participants (3)
-
Joseph S D Yao -
Sean Donelan -
Sebastian Wiesinger