HOME

TheInfoList



Click Here for Items Related To - blackhole server
OR:
blackhole server on:   [Wikipedia]   [Google]   [Amazon]

Blackhole DNS servers are
Domain Name System The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information ...
(DNS) servers that return a "nonexistent address" answer to
reverse DNS lookup In computer networks, a reverse DNS lookup or reverse DNS resolution (rDNS) is the querying technique of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the usual "forward" DNS lookup o ...
s for addresses
reserved Reserved is a Polish apparel retailer headquartered in Gdańsk, Poland. It was founded in 1999 and remains the flagship brand of the LPP (company), LPP group, which has more than 2,200 retail stores located in over 38 countries and also owns su ...
for private use.


Background

There are several ranges of network addresses reserved for use on
private network In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IPv ...
s in
IPv4 Internet Protocol version 4 (IPv4) is the first version of the Internet Protocol (IP) as a standalone specification. It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. ...
: Updated by RFC 6761. Reverse DNS queries are used to map IP addresses to domain names. They are PTR queries for subdomains of ''in-addr.arpa'' (for IPv4 addresses) and ''ip6.arpa'' (for IPv6 addresses). For example, to find the domain name associated with the IP address 203.0.113.22, one would send a PTR query for ''22.133.0.203.in-addr.arpa''. Misconfigured hosts often send reverse DNS queries for private addresses to the public DNS. The public DNS cannot meaningfully respond to these queries, since these addresses are reserved for private networks and can't correspond to a single public domain name. Without any mitigation, these queries would put unnecessary load on the ''in-addr.arpa'' and ''ip6.arpa'' nameservers.


Role

To deal with this problem, the
Internet Assigned Numbers Authority The Internet Assigned Numbers Authority (IANA) is a standards organization that oversees global IP address allocation, Autonomous system (Internet), autonomous system number allocation, DNS root zone, root zone management in the Domain Name Syste ...
(IANA) has set up three special DNS servers called "blackhole servers". Currently the blackhole servers are: * blackhole-1.iana.org () * blackhole-2.iana.org () * prisoner.iana.org () These servers are registered in the DNS directory as the authoritative servers for the reverse lookup zone of the , and addresses. These servers are configured to answer any query with a "nonexistent address" answer. This helps to reduce wait times because the (negative) answer is given immediately and thus no wait for a timeout is necessary. Additionally, the answer returned is also allowed to be cached by recursive DNS servers. This is especially helpful because a second lookup for the same address performed by the same node would probably be answered from the local cache instead of querying the authoritative servers again. This helps reduce the network load significantly. According to IANA, "the blackhole servers generally answer thousands of queries per second". Because the load on the IANA blackhole servers became very high, an alternative service, AS112, has been created, mostly run by volunteer operators.


AS112

The AS112 project is a group of volunteer name server operators joined in an autonomous system. They run
anycast Anycast is a network addressing and routing methodology in which a single IP address is shared by devices (generally servers) in multiple locations. Routers direct packets addressed to this destination to the location nearest the sender, using ...
ed instances of the name servers that answer
reverse DNS lookup In computer networks, a reverse DNS lookup or reverse DNS resolution (rDNS) is the querying technique of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the usual "forward" DNS lookup o ...
s for
private network In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IPv ...
and link-local addresses sent to the public Internet. These queries are ambiguous by their nature, and cannot be answered correctly. Providing negative answers reduces the load on the public DNS infrastructure.


History

Before 2001, the in-addr.arpa zones for the private networks were delegated to a single instance of name servers, ''blackhole-1.iana.org'' and ''blackhole-2.iana.org,'' called the blackhole servers. The
IANA The Internet Assigned Numbers Authority (IANA) is a standards organization that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System (DNS), media types, and other Internet P ...
-run servers were under increasing load from improperly-configured NAT networks, leaking out reverse DNS queries, also causing unnecessary load on the root servers. The decision was made by a small subset of root server operators to run the reverse delegations; each announcing the network using the
autonomous system number An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined rou ...
of 112. Later, the group of volunteers has grown to include many other organizations. An alternative approach, using DNAME redirection, was adopted by the IETF in May 2015. Obsoletes RFC 6304. DNS zone administrators can redirect queries to AS112 by setting up a DNAME redirection to ''empty.as112.arpa.''


Answered zones

The name servers participating in the AS112 project are each configured to answer authoritatively for the following zones: * For the , and private networks: ** 10.in-addr.arpa ** 16.172.in-addr.arpa ** 17.172.in-addr.arpa ** 18.172.in-addr.arpa ** 19.172.in-addr.arpa ** 20.172.in-addr.arpa ** 21.172.in-addr.arpa ** 22.172.in-addr.arpa ** 23.172.in-addr.arpa ** 24.172.in-addr.arpa ** 25.172.in-addr.arpa ** 26.172.in-addr.arpa ** 27.172.in-addr.arpa ** 28.172.in-addr.arpa ** 29.172.in-addr.arpa ** 30.172.in-addr.arpa ** 31.172.in-addr.arpa ** 168.192.in-addr.arpa * For the link-local addresses: ** 254.169.in-addr.arpa * For certain special-use domain names: ** home.arpa * For unique identification purposes: ** hostname.as112.net ** hostname.as112.arpa


References


External links


The IANA abuse faq
which contains information about the blackhole servers.
AS112 web page


Notes describing {{IETF RFC, 1918 network queries impact on the root servers.
Mailing list
for AS112 operators. Domain Name System