Blackhole server

Last updated

Blackhole DNS servers are Domain Name System (DNS) servers that return a "nonexistent address" answer to reverse DNS lookups for addresses reserved for private use.

Contents

Background

There are several ranges of network addresses reserved for use on private networks in IPv4: [1]

Reserved private IPv4 network ranges [2]
Name CIDR blockAddress rangeNumber of addresses Classful description
24-bit block10.0.0.0/810.0.0.0 – 10.255.255.25516777216Single Class A.
20-bit block172.16.0.0/12172.16.0.0 – 172.31.255.2551048576Contiguous range of 16 Class B blocks.
16-bit block192.168.0.0/16192.168.0.0 – 192.168.255.25565536Contiguous range of 256 Class C blocks.

Even though traffic to or from these addresses should never appear on the public Internet, it is not uncommon for such traffic to appear anyway.

Role

To deal with this problem, the Internet Assigned Numbers Authority (IANA) has set up three special DNS servers called "blackhole servers". Currently the blackhole servers are: [3]

These servers are registered in the DNS directory as the authoritative servers for the reverse lookup zone of the 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 addresses. These servers are configured to answer any query with a "nonexistent address" answer. This helps to reduce wait times because the (negative) answer is given immediately and thus no wait for a timeout is necessary. Additionally, the answer returned is also allowed to be cached by recursive DNS servers. This is especially helpful because a second lookup for the same address performed by the same node would probably be answered from the local cache instead of querying the authoritative servers again. This helps reduce the network load significantly. According to IANA, "the blackhole servers generally answer thousands of queries per second". [4] Because the load on the IANA blackhole servers became very high, an alternative service, AS112, has been created, mostly run by volunteer operators.

AS112

The AS112 project is a group of volunteer name server operators joined in an autonomous system. They run anycasted instances of the name servers that answer reverse DNS lookups for private network and link-local addresses sent to the public Internet. These queries are ambiguous by their nature, and can not be answered correctly. Providing negative answers reduces the load on the public DNS infrastructure.

History

Before 2001, the in-addr.arpa zones for the private networks [1] were delegated to a single instance of name servers, blackhole-1.iana.org and blackhole-2.iana.org, called the blackhole servers. The IANA-run servers were under increasing load from improperly-configured NAT networks, leaking out reverse DNS queries, also causing unnecessary load on the root servers. The decision was made by a small subset of root server operators to run the reverse delegations; each announcing the network using the autonomous system number of 112. [5] Later, the group of volunteers has grown to include many other organizations.

An alternative approach, using DNAME redirection, was adopted by the IETF in May 2015. [6] [7]

Answered zones

The name servers participating in the AS112 project are each configured to answer authoritatively for the following zones:

Related Research Articles

The Domain Name System (DNS) is the hierarchical and decentralized naming system used to identify computers reachable through the Internet or other Internet Protocol (IP) networks. The resource records contained in the DNS associate domain names with other forms of information. These are most commonly used to map human-friendly domain names to the numerical IP addresses computers need to locate services and devices using the underlying network protocols, but have been extended over time to perform many other functions as well. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture.

An Internet Protocol address is a numerical label such as 192.0.2.1 that is connected to a computer network that uses the Internet Protocol for communication. An IP address serves two main functions: network interface identification and location addressing.

A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. The top-level domain names are installed in the root zone of the name space. For all domains in lower levels, it is the last part of the domain name, that is, the last non empty label of a fully qualified domain name. For example, in the domain name www.example.com, the top-level domain is com. Responsibility for management of most top-level domains is delegated to specific organizations by the ICANN, an Internet multi-stakeholder community, which operates the Internet Assigned Numbers Authority (IANA), and is in charge of maintaining the DNS root zone.

A name server refers to the server component of the Domain Name System (DNS), one of the two principal namespaces of the Internet. The most important function of DNS servers is the translation (resolution) of human-memorable domain names (example.com) and hostnames into the corresponding numeric Internet Protocol (IP) addresses (192.0.2.1), the second principal name space of the Internet, which is used to identify and locate computer systems and resources on the Internet.

<span class="mw-page-title-main">Root name server</span> Name server for the DNS root zone

A root name server is a name server for the root zone of the Domain Name System (DNS) of the Internet. It directly answers requests for records in the root zone and answers other requests by returning a list of the authoritative name servers for the appropriate top-level domain (TLD). The root name servers are a critical part of the Internet infrastructure because they are the first step in resolving human-readable host names into IP addresses that are used in communication between Internet hosts.

Bogon filtering is the practice of filtering bogons, which are bogus (fake) IP addresses of a computer network. Bogons include IP packets on the public Internet that contain addresses that are not in any range allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated regional Internet registry (RIR) and allowed for public Internet use. The areas of unallocated address space are called the bogon space.

The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

In computer networking, localhost is a hostname that refers to the current device used to access it. It is used to access the network services that are running on the host via the loopback network interface. Using the loopback interface bypasses any local network interface hardware.

In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IPv4 and the IPv6 specifications define private IP address ranges.

The domain name arpa is a top-level domain (TLD) in the Domain Name System (DNS) of the Internet. It is used predominantly for the management of technical network infrastructure. Prominent among such functions are the subdomains in-addr.arpa and ip6.arpa, which provide namespaces for reverse DNS lookup of IPv4 and IPv6 addresses, respectively.

In computer networks, a reverse DNS lookup or reverse DNS resolution (rDNS) is the querying technique of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the usual "forward" DNS lookup of an IP address from a domain name. The process of reverse resolving of an IP address uses PTR records. rDNS involves searching domain name registry and registrar tables. The reverse DNS database of the Internet is rooted in the .arpa top-level domain.

DNS zone Part of the Internets Domain Name System (DNS) organization system

A DNS zone is a specific portion of the DNS namespace in the Domain Name System (DNS), which is managed by a specific organization or administrator. A DNS zone is an administrative space that allows for more granular control of the DNS components, such as authoritative nameserver. The DNS is broken up into many different zones, which are distinctly managed areas in the DNS namespace. DNS zones are not necessarily physically separated from one another, however, a DNS zone can contain multiple subdomains and multiple zones can exist on the same server.

In computer networking, the multicast DNS (mDNS) protocol resolves hostnames to IP addresses within small networks that do not include a local name server. It is a zero-configuration service, using essentially the same programming interfaces, packet formats and operating semantics as unicast Domain Name Service (DNS). It was designed to work as either a stand-alone protocol or compatibly with standard DNS servers. It uses IP multicast User Datagram Protocol (UDP) packets, and is implemented by the Apple Bonjour and open source Avahi software packages, included in most Linux distributions. Although the Windows 10 implementation was limited to discovering networked printers, subsequent releases resolved hostnames as well. mDNS can work in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration networking technique specified separately in RFC 6763.

In the Internet addressing architecture, the Internet Engineering Task Force (IETF) and the Internet Assigned Numbers Authority (IANA) have reserved various Internet Protocol (IP) addresses for special purposes.

WHOIS is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format. The current iteration of the WHOIS protocol was drafted by the Internet Society, and is documented in RFC 3912.

An IPv6 transition mechanism is a technology that facilitates the transitioning of the Internet from the Internet Protocol version 4 (IPv4) infrastructure in use since 1983 to the successor addressing and routing system of Internet Protocol Version 6 (IPv6). As IPv4 and IPv6 networks are not directly interoperable, transition technologies are designed to permit hosts on either network type to communicate with any other host.

<span class="mw-page-title-main">IPv6 address</span> Label to identify a network interface of a computer or other network node

An Internet Protocol Version 6 address is a numeric label that is used to identify and locate a network interface of a computer or a network node participating in a computer network using IPv6. IP addresses are included in the packet header to indicate the source and the destination of each packet. The IP address of the destination is used to make decisions about routing IP packets to other networks.

In order to ensure proper working of carrier-grade NAT (CGN), and, by doing so, alleviating the demand for the last remaining IPv4 addresses, a /10 size IPv4 address block was assigned by Internet Assigned Numbers Authority (IANA) to be used as shared address space. This block of addresses is specifically meant to be used by Internet service providers that implement carrier-grade NAT, to connect their customer-premises equipment (CPE) to their core routers.

References

  1. 1 2 3 Y. Rekhter; B. Moskowitz; D. Karrenberg; G. J. de Groot; E. Lear (February 1996). Address Allocation for Private Internets. Network Working Group. doi: 10.17487/RFC1918 . BCP 5. RFC 1918. Updated by RFC 6761.
  2. Y. Rekhter; B. Moskowitz; D. Karrenberg; G. J. de Groot; E. Lear (February 1996). Address Allocation for Private Internets. Network Working Group. doi: 10.17487/RFC1918 . BCP 5. RFC 1918. Obsoletes RFC  1627 and 1597. Updated by RFC  6761.
  3. J. Abley; W. Maton (July 2011). I'm Being Attacked by PRISONER.IANA.ORG!. IETF. doi: 10.17487/RFC6305 . ISSN   2070-1721. RFC 6305.
  4. "Common questions regarding abuse issues". IANA.
  5. T. Hardie (April 2002). Distributing Authoritative Name Servers via Shared Unicast Addresses. Network Working Group IETF. doi: 10.17487/RFC3258 . RFC 3258.
  6. J. Abley; W. Sotomayor (May 2015). AS112 Nameserver Operations. IETF. doi: 10.17487/RFC7534 . RFC 7534. Obsoletes RFC 6304.
  7. J. Abley; B. Dickson; W. Kumari; G. Michaelson (May 2015). AS112 Redirection Using DNAME. IETF. doi: 10.17487/RFC7535 . RFC 7535.
  8. S. Cheshire; B. Aboba; E. Guttman (May 2005). Dynamic Configuration of IPv4 Link-Local Addresses. Network Working Group IETF. doi: 10.17487/RFC3927 . RFC 3927.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.