Blackhole server

{{about|blackhole DNS servers|other uses|black hole (disambiguation)}}

Blackhole DNS servers are Domain Name System (DNS) servers that return a "nonexistent address" answer to reverse DNS lookups for addresses reserved for private use.

Background

There are several ranges of network addresses reserved for use on private networks in IPv4:{{Cite IETF|rfc=1918|bcp=5|title=Address Allocation for Private Internets|author1=Y. Rekhter|author2=B. Moskowitz|author3=D. Karrenberg|author4=G. J. de Groot|author5=E. Lear|date=February 1996|publisher=Network Working Group}} Updated by RFC 6761.

{{trim|{{#section:IPv4|IPv4-private-networks}}}}

Reverse DNS queries are used to map IP addresses to domain names. They are PTR queries for subdomains of in-addr.arpa (for IPv4 addresses){{Cite report |url=https://www.rfc-editor.org/rfc/rfc1035 |title=Domain names - implementation and specification |date=November 1987 |publisher=Internet Engineering Task Force |issue=RFC 1035}} and ip6.arpa (for IPv6 addresses).{{Cite report |url=https://www.rfc-editor.org/rfc/rfc2874 |title=DNS Extensions to Support IPv6 Address Aggregation and Renumbering |last=Huitema |first=Christian |last2=Crawford |first2=Matt |date=July 2000 |publisher=Internet Engineering Task Force |issue=RFC 2874}} For example, to find the domain name associated with the IP address 203.0.113.22, one would send a PTR query for 22.133.0.203.in-addr.arpa.

Misconfigured hosts{{Cite journal |last=Broido |first=Andre |last2=Hyun |first2=Young |last3=Fomenkov |first3=Marina |last4=claffy |first4=kc |date=2006-07-05 |title=The windows of pivate DNS updates |url=https://dl.acm.org/doi/10.1145/1140086.1140098 |journal=SIGCOMM Comput. Commun. Rev. |volume=36 |issue=3 |pages=93–98 |doi=10.1145/1140086.1140098 |issn=0146-4833|url-access=subscription }} often send reverse DNS queries for private addresses to the public DNS. The public DNS cannot meaningfully respond to these queries, since these addresses are reserved for private networks and can't correspond to a single public domain name. Without any mitigation, these queries would put unnecessary load on the in-addr.arpa and ip6.arpa nameservers.

Role

To deal with this problem, the Internet Assigned Numbers Authority (IANA) has set up three special DNS servers called "blackhole servers". Currently the blackhole servers are:{{Cite IETF|rfc=6305|title=I'm Being Attacked by PRISONER.IANA.ORG!|author1=J. Abley|author2=W. Maton|date=July 2011|publisher=IETF|issn=2070-1721}}

  • blackhole-1.iana.org ({{IPaddr|192.175.48.6}})
  • blackhole-2.iana.org ({{IPaddr|192.175.48.42}})
  • prisoner.iana.org ({{IPaddr|192.175.48.1}})

These servers are registered in the DNS directory as the authoritative servers for the reverse lookup zone of the {{IPaddr|10.0.0.0|8}}, {{IPaddr|172.16.0.0|12}} and {{IPaddr|192.168.0.0|16}} addresses. These servers are configured to answer any query with a "nonexistent address" answer. This helps to reduce wait times because the (negative) answer is given immediately and thus no wait for a timeout is necessary. Additionally, the answer returned is also allowed to be cached by recursive DNS servers. This is especially helpful because a second lookup for the same address performed by the same node would probably be answered from the local cache instead of querying the authoritative servers again. This helps reduce the network load significantly. According to IANA, "the blackhole servers generally answer thousands of queries per second".{{cite web |title=Common questions regarding abuse issues |url=https://www.iana.org/help/abuse-answers |publisher=IANA}}

Because the load on the IANA blackhole servers became very high, an alternative service, AS112, has been created, mostly run by volunteer operators.

AS112

The AS112 project is a group of volunteer name server operators joined in an autonomous system. They run anycasted instances of the name servers that answer reverse DNS lookups for private network and link-local addresses sent to the public Internet. These queries are ambiguous by their nature, and cannot be answered correctly. Providing negative answers reduces the load on the public DNS infrastructure.

=History=

Before 2001, the in-addr.arpa zones for the private networks were delegated to a single instance of name servers, blackhole-1.iana.org and blackhole-2.iana.org, called the blackhole servers. The IANA-run servers were under increasing load from improperly-configured NAT networks, leaking out reverse DNS queries, also causing unnecessary load on the root servers. The decision was made by a small subset of root server operators to run the reverse delegations; each announcing the network using the autonomous system number of 112.{{Cite IETF|rfc=3258|title=Distributing Authoritative Name Servers via Shared Unicast Addresses|author=T. Hardie|date=April 2002|publisher=Network Working Group IETF}} Later, the group of volunteers has grown to include many other organizations.

An alternative approach, using DNAME redirection, was adopted by the IETF in May 2015.{{Cite IETF|rfc=7534|title=AS112 Nameserver Operations|author1=J. Abley|author2=W. Sotomayor|publisher=IETF|date=May 2015}} Obsoletes RFC 6304.{{Cite IETF|rfc=7535|title=AS112 Redirection Using DNAME|author1=J. Abley|author2=B. Dickson|author3=W. Kumari|author4=G. Michaelson|date=May 2015|publisher=IETF}} DNS zone administrators can redirect queries to AS112 by setting up a DNAME redirection to empty.as112.arpa.

=Answered zones=

The name servers participating in the AS112 project are each configured to answer authoritatively for the following zones:

  • For the {{IPaddr|10.0.0.0|8}}, {{IPaddr|172.16.0.0|12}} and {{IPaddr|192.168.0.0|16}} private networks:
  • 10.in-addr.arpa
  • 16.172.in-addr.arpa
  • 17.172.in-addr.arpa
  • 18.172.in-addr.arpa
  • 19.172.in-addr.arpa
  • 20.172.in-addr.arpa
  • 21.172.in-addr.arpa
  • 22.172.in-addr.arpa
  • 23.172.in-addr.arpa
  • 24.172.in-addr.arpa
  • 25.172.in-addr.arpa
  • 26.172.in-addr.arpa
  • 27.172.in-addr.arpa
  • 28.172.in-addr.arpa
  • 29.172.in-addr.arpa
  • 30.172.in-addr.arpa
  • 31.172.in-addr.arpa
  • 168.192.in-addr.arpa
  • For the {{IPaddr|169.254.0.0|16}} link-local addresses:{{Cite IETF|rfc=3927|title=Dynamic Configuration of IPv4 Link-Local Addresses|author1=S. Cheshire|author2=B. Aboba|author3=E. Guttman|date=May 2005|publisher=Network Working Group IETF}}
  • 254.169.in-addr.arpa
  • For certain special-use domain names:{{Cite report |url=https://datatracker.ietf.org/doc/html/rfc8375.html |title=Special-Use Domain 'home.arpa.' |last=Pfister |first=Pierre |last2=Lemon |first2=Ted |date=May 2018 |publisher=Internet Engineering Task Force |issue=RFC 8375}}
  • home.arpa
  • For unique identification purposes:
  • hostname.as112.net
  • hostname.as112.arpa

References

{{Reflist|30em}}