fbpx
Wikipedia

Blackhole server

April 12, 2024

This article is about blackhole DNS servers. For other uses, see black hole (disambiguation).

Blackhole DNS servers are Domain Name System (DNS) servers that return a "nonexistent address" answer to reverse DNS lookups for addresses reserved for private use.

Background edit

There are several ranges of network addresses reserved for use on private networks in IPv4:[1]

Reserved private IPv4 network ranges[2]
Name CIDR block Address range Number of addresses Classful description
24-bit block 10.0.0.0/8 10.0.0.0 – 10.255.255.255 16777216 Single Class A
20-bit block 172.16.0.0/12 172.16.0.0 – 172.31.255.255 1048576 Contiguous range of 16 Class B blocks
16-bit block 192.168.0.0/16 192.168.0.0 – 192.168.255.255 65536 Contiguous range of 256 Class C blocks

Even though traffic to or from these addresses should never appear on the public Internet, it is not uncommon for such traffic to appear anyway.

Role edit

To deal with this problem, the Internet Assigned Numbers Authority (IANA) has set up three special DNS servers called "blackhole servers". Currently the blackhole servers are:[3]

  • blackhole-1.iana.org (192.175.48.6)
  • blackhole-2.iana.org (192.175.48.42)
  • prisoner.iana.org (192.175.48.1)

These servers are registered in the DNS directory as the authoritative servers for the reverse lookup zone of the 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 addresses. These servers are configured to answer any query with a "nonexistent address" answer. This helps to reduce wait times because the (negative) answer is given immediately and thus no wait for a timeout is necessary. Additionally, the answer returned is also allowed to be cached by recursive DNS servers. This is especially helpful because a second lookup for the same address performed by the same node would probably be answered from the local cache instead of querying the authoritative servers again. This helps reduce the network load significantly. According to IANA, "the blackhole servers generally answer thousands of queries per second".[4] Because the load on the IANA blackhole servers became very high, an alternative service, AS112, has been created, mostly run by volunteer operators.

AS112 edit

The AS112 project is a group of volunteer name server operators joined in an autonomous system. They run anycasted instances of the name servers that answer reverse DNS lookups for private network and link-local addresses sent to the public Internet. These queries are ambiguous by their nature, and cannot be answered correctly. Providing negative answers reduces the load on the public DNS infrastructure.

History edit

Before 2001, the in-addr.arpa zones for the private networks[1] were delegated to a single instance of name servers, blackhole-1.iana.org and blackhole-2.iana.org, called the blackhole servers. The IANA-run servers were under increasing load from improperly-configured NAT networks, leaking out reverse DNS queries, also causing unnecessary load on the root servers. The decision was made by a small subset of root server operators to run the reverse delegations; each announcing the network using the autonomous system number of 112.[5] Later, the group of volunteers has grown to include many other organizations.

An alternative approach, using DNAME redirection, was adopted by the IETF in May 2015.[6][7]

Answered zones edit

The name servers participating in the AS112 project are each configured to answer authoritatively for the following zones:

  • For the 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 private networks:[1]
    • 10.in-addr.arpa
    • 16.172.in-addr.arpa
    • 17.172.in-addr.arpa
    • 18.172.in-addr.arpa
    • 19.172.in-addr.arpa
    • 20.172.in-addr.arpa
    • 21.172.in-addr.arpa
    • 22.172.in-addr.arpa
    • 23.172.in-addr.arpa
    • 24.172.in-addr.arpa
    • 25.172.in-addr.arpa
    • 26.172.in-addr.arpa
    • 27.172.in-addr.arpa
    • 28.172.in-addr.arpa
    • 29.172.in-addr.arpa
    • 30.172.in-addr.arpa
    • 31.172.in-addr.arpa
    • 168.192.in-addr.arpa
  • For the 169.254.0.0/16 link-local addresses:[8]
    • 254.169.in-addr.arpa
  • For unique identification purposes:
    • hostname.as112.net

References edit

  1. ^ a b c Y. Rekhter; B. Moskowitz; D. Karrenberg; G. J. de Groot; E. Lear (February 1996). Address Allocation for Private Internets. Network Working Group. doi:10.17487/RFC1918. BCP 5. RFC 1918. Updated by RFC 6761.
  2. ^ Y. Rekhter; B. Moskowitz; D. Karrenberg; G. J. de Groot; E. Lear (February 1996). Address Allocation for Private Internets. Network Working Group. doi:10.17487/RFC1918. BCP 5. RFC 1918. Best Common Practice. Obsoletes RFC 1627 and 1597. Updated by RFC 6761.
  3. ^ J. Abley; W. Maton (July 2011). I'm Being Attacked by PRISONER.IANA.ORG!. IETF. doi:10.17487/RFC6305. ISSN 2070-1721. RFC 6305.
  4. ^ "Common questions regarding abuse issues". IANA.
  5. ^ T. Hardie (April 2002). Distributing Authoritative Name Servers via Shared Unicast Addresses. Network Working Group IETF. doi:10.17487/RFC3258. RFC 3258.
  6. ^ J. Abley; W. Sotomayor (May 2015). AS112 Nameserver Operations. IETF. doi:10.17487/RFC7534. RFC 7534. Obsoletes RFC 6304.
  7. ^ J. Abley; B. Dickson; W. Kumari; G. Michaelson (May 2015). AS112 Redirection Using DNAME. IETF. doi:10.17487/RFC7535. RFC 7535.
  8. ^ S. Cheshire; B. Aboba; E. Guttman (May 2005). Dynamic Configuration of IPv4 Link-Local Addresses. Network Working Group IETF. doi:10.17487/RFC3927. RFC 3927.

External links edit

  • The IANA abuse faq which contains information about the blackhole servers.
  • AS112 web page
  • RSSAC Meeting Atlanta 2002[permanent dead link] Notes describing RFC 1918 network queries impact on the root servers.
  • Mailing list for AS112 operators.

April 12, 2024
blackhole, server, this, article, about, blackhole, servers, other, uses, black, hole, disambiguation, blackhole, servers, domain, name, system, servers, that, return, nonexistent, address, answer, reverse, lookups, addresses, reserved, private, contents, back. This article is about blackhole DNS servers For other uses see black hole disambiguation Blackhole DNS servers are Domain Name System DNS servers that return a nonexistent address answer to reverse DNS lookups for addresses reserved for private use Contents 1 Background 2 Role 3 AS112 3 1 History 3 2 Answered zones 4 References 5 External linksBackground editThere are several ranges of network addresses reserved for use on private networks in IPv4 1 Reserved private IPv4 network ranges 2 Name CIDR block Address range Number of addresses Classful description24 bit block 10 0 0 0 8 10 0 0 0 10 255 255 255 16777 216 Single Class A20 bit block 172 16 0 0 12 172 16 0 0 172 31 255 255 1048 576 Contiguous range of 16 Class B blocks16 bit block 192 168 0 0 16 192 168 0 0 192 168 255 255 65536 Contiguous range of 256 Class C blocksEven though traffic to or from these addresses should never appear on the public Internet it is not uncommon for such traffic to appear anyway Role editTo deal with this problem the Internet Assigned Numbers Authority IANA has set up three special DNS servers called blackhole servers Currently the blackhole servers are 3 blackhole 1 iana org 192 175 48 6 blackhole 2 iana org 192 175 48 42 prisoner iana org 192 175 48 1 These servers are registered in the DNS directory as the authoritative servers for the reverse lookup zone of the 10 0 0 0 8 172 16 0 0 12 and 192 168 0 0 16 addresses These servers are configured to answer any query with a nonexistent address answer This helps to reduce wait times because the negative answer is given immediately and thus no wait for a timeout is necessary Additionally the answer returned is also allowed to be cached by recursive DNS servers This is especially helpful because a second lookup for the same address performed by the same node would probably be answered from the local cache instead of querying the authoritative servers again This helps reduce the network load significantly According to IANA the blackhole servers generally answer thousands of queries per second 4 Because the load on the IANA blackhole servers became very high an alternative service AS112 has been created mostly run by volunteer operators AS112 editThe AS112 project is a group of volunteer name server operators joined in an autonomous system They run anycasted instances of the name servers that answer reverse DNS lookups for private network and link local addresses sent to the public Internet These queries are ambiguous by their nature and cannot be answered correctly Providing negative answers reduces the load on the public DNS infrastructure History edit Before 2001 the in addr arpa zones for the private networks 1 were delegated to a single instance of name servers blackhole 1 iana org and blackhole 2 iana org called the blackhole servers The IANA run servers were under increasing load from improperly configured NAT networks leaking out reverse DNS queries also causing unnecessary load on the root servers The decision was made by a small subset of root server operators to run the reverse delegations each announcing the network using the autonomous system number of 112 5 Later the group of volunteers has grown to include many other organizations An alternative approach using DNAME redirection was adopted by the IETF in May 2015 6 7 Answered zones edit The name servers participating in the AS112 project are each configured to answer authoritatively for the following zones For the 10 0 0 0 8 172 16 0 0 12 and 192 168 0 0 16 private networks 1 10 in addr arpa 16 172 in addr arpa 17 172 in addr arpa 18 172 in addr arpa 19 172 in addr arpa 20 172 in addr arpa 21 172 in addr arpa 22 172 in addr arpa 23 172 in addr arpa 24 172 in addr arpa 25 172 in addr arpa 26 172 in addr arpa 27 172 in addr arpa 28 172 in addr arpa 29 172 in addr arpa 30 172 in addr arpa 31 172 in addr arpa 168 192 in addr arpa For the 169 254 0 0 16 link local addresses 8 254 169 in addr arpa For unique identification purposes hostname as112 netReferences edit a b c Y Rekhter B Moskowitz D Karrenberg G J de Groot E Lear February 1996 Address Allocation for Private Internets Network Working Group doi 10 17487 RFC1918 BCP 5 RFC 1918 Updated by RFC 6761 Y Rekhter B Moskowitz D Karrenberg G J de Groot E Lear February 1996 Address Allocation for Private Internets Network Working Group doi 10 17487 RFC1918 BCP 5 RFC 1918 Best Common Practice Obsoletes RFC 1627 and 1597 Updated by RFC 6761 J Abley W Maton July 2011 I m Being Attacked by PRISONER IANA ORG IETF doi 10 17487 RFC6305 ISSN 2070 1721 RFC 6305 Common questions regarding abuse issues IANA T Hardie April 2002 Distributing Authoritative Name Servers via Shared Unicast Addresses Network Working Group IETF doi 10 17487 RFC3258 RFC 3258 J Abley W Sotomayor May 2015 AS112 Nameserver Operations IETF doi 10 17487 RFC7534 RFC 7534 Obsoletes RFC 6304 J Abley B Dickson W Kumari G Michaelson May 2015 AS112 Redirection Using DNAME IETF doi 10 17487 RFC7535 RFC 7535 S Cheshire B Aboba E Guttman May 2005 Dynamic Configuration of IPv4 Link Local Addresses Network Working Group IETF doi 10 17487 RFC3927 RFC 3927 External links editThe IANA abuse faq which contains information about the blackhole servers AS112 web page RSSAC Meeting Atlanta 2002 permanent dead link Notes describing RFC 1918 network queries impact on the root servers Mailing list for AS112 operators Retrieved from https en wikipedia org w index php title Blackhole server amp oldid 1141840802, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.