Blackhole server

Last updated

Blackhole DNS servers are Domain Name System (DNS) servers that return a "nonexistent address" answer to reverse DNS lookups for addresses reserved for private use.

Contents

Background

There are several ranges of network addresses reserved for use on private networks in IPv4: [1]

Reserved private IPv4 network ranges [2]
Name CIDR blockAddress rangeNumber of
addresses		 Classful description
24-bit block10.0.0.0/810.0.0.0 – 10.255.255.25516777216Single Class A
20-bit block172.16.0.0/12172.16.0.0 – 172.31.255.2551048576Contiguous range of 16 Class B blocks
16-bit block192.168.0.0/16192.168.0.0 – 192.168.255.25565536Contiguous range of 256 Class C blocks

Reverse DNS queries are used to map IP addresses to domain names. They are PTR queries for subdomains of in-addr.arpa (for IPv4 addresses) [3] and ip6.arpa (for IPv6 addresses) [4] . For example, to find the domain name associated with the IP address 203.0.113.22, one would send a PTR query for 22.133.0.203.in-addr.arpa.

Misconfigured hosts [5] often send reverse DNS queries for private addresses to the public DNS. The public DNS cannot meaningfully respond to these queries, since these addresses are reserved for private networks and can't correspond to a single public domain name. Without any mitigation, these queries would put unnecessary load on the in-addr.arpa and ip6.arpa nameservers [6] .

Role

To deal with this problem, the Internet Assigned Numbers Authority (IANA) has set up three special DNS servers called "blackhole servers". Currently the blackhole servers are: [7]

These servers are registered in the DNS directory as the authoritative servers for the reverse lookup zone of the 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 addresses. These servers are configured to answer any query with a "nonexistent address" answer. This helps to reduce wait times because the (negative) answer is given immediately and thus no wait for a timeout is necessary. Additionally, the answer returned is also allowed to be cached by recursive DNS servers. This is especially helpful because a second lookup for the same address performed by the same node would probably be answered from the local cache instead of querying the authoritative servers again. This helps reduce the network load significantly. According to IANA, "the blackhole servers generally answer thousands of queries per second". [8] Because the load on the IANA blackhole servers became very high, an alternative service, AS112, has been created, mostly run by volunteer operators.

AS112

The AS112 project is a group of volunteer name server operators joined in an autonomous system. They run anycasted instances of the name servers that answer reverse DNS lookups for private network and link-local addresses sent to the public Internet. These queries are ambiguous by their nature, and cannot be answered correctly. Providing negative answers reduces the load on the public DNS infrastructure.

History

Before 2001, the in-addr.arpa zones for the private networks [1] were delegated to a single instance of name servers, blackhole-1.iana.org and blackhole-2.iana.org, called the blackhole servers. The IANA-run servers were under increasing load from improperly-configured NAT networks, leaking out reverse DNS queries, also causing unnecessary load on the root servers. The decision was made by a small subset of root server operators to run the reverse delegations; each announcing the network using the autonomous system number of 112. [9] Later, the group of volunteers has grown to include many other organizations.

An alternative approach, using DNAME redirection, was adopted by the IETF in May 2015. [6] [10] DNS zone administrators can redirect queries to AS112 by setting up a DNAME redirection to empty.as112.arpa. [10]

Answered zones

The name servers participating in the AS112 project are each configured to answer authoritatively for the following zones:

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

<span class="mw-page-title-main">IPv6</span> Version 6 of the Internet Protocol

Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion, and was intended to replace IPv4. In December 1998, IPv6 became a Draft Standard for the IETF, which subsequently ratified it as an Internet Standard on 14 July 2017.

A top-level domain (TLD) is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. The top-level domain names are installed in the root zone of the name space. For all domains in lower levels, it is the last part of the domain name, that is, the last non-empty label of a fully qualified domain name. For example, in the domain name www.example.com, the top-level domain is .com. Responsibility for management of most top-level domains is delegated to specific organizations by the ICANN, an Internet multi-stakeholder community, which operates the Internet Assigned Numbers Authority (IANA), and is in charge of maintaining the DNS root zone.

Time to live (TTL) or hop limit is a mechanism which limits the lifespan or lifetime of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timespan has elapsed, data is discarded or revalidated. In computer networking, TTL prevents a data packet from circulating indefinitely. In computing applications, TTL is commonly used to improve the performance and manage the caching of data.

A name server is a computer application that implements a network service for providing responses to queries against a directory service. It translates an often humanly meaningful, text-based identifier to a system-internal, often numeric identification or addressing component. This service is performed by the server in response to a service protocol request.

A multicast address is a logical identifier for a group of hosts in a computer network that are available to process datagrams or frames intended to be multicast for a designated network service. Multicast addressing can be used in the link layer, such as Ethernet multicast, and at the internet layer for Internet Protocol Version 4 (IPv4) or Version 6 (IPv6) multicast.

<span class="mw-page-title-main">Root name server</span> Name server for the DNS root zone

A root name server is a name server for the root zone of the Domain Name System (DNS) of the Internet. It directly answers requests for records in the root zone and answers other requests by returning a list of the authoritative name servers for the appropriate top-level domain (TLD). The root name servers are a critical part of the Internet infrastructure because they are the first step in resolving human-readable host names into IP addresses that are used in communication between Internet hosts.

Bogon filtering is the practice of blocking packets known as bogons, which are ones sent to a computer network claiming to originate from invalid or bogus IP addresses, known as bogon addresses.

<span class="mw-page-title-main">Anycast</span> Network addressing and routing methodology

Anycast is a network addressing and routing methodology in which a single IP address is shared by devices in multiple locations. Routers direct packets addressed to this destination to the location nearest the sender, using their normal decision-making algorithms, typically the lowest number of BGP network hops. Anycast routing is widely used by content delivery networks such as web and name servers, to bring their content closer to end users.

In computer networking, localhost is a hostname that refers to the current computer used to access it. The name localhost is reserved for loopback purposes. It is used to access the network services that are running on the host via the loopback network interface. Using the loopback interface bypasses any local network interface hardware.

A Canonical Name (CNAME) record is a type of resource record in the Domain Name System (DNS) that maps one domain name to another.

In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IPv4 and the IPv6 specifications define private IP address ranges.

The domain name arpa is a top-level domain (TLD) in the Domain Name System (DNS) of the Internet. It is used predominantly for the management of technical network infrastructure. Prominent among such functions are the subdomains in-addr.arpa and ip6.arpa, which provide namespaces for reverse DNS lookup of IPv4 and IPv6 addresses, respectively.

In computer networks, a reverse DNS lookup or reverse DNS resolution (rDNS) is the querying technique of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the usual "forward" DNS lookup of an IP address from a domain name. The process of reverse resolving of an IP address uses PTR records. rDNS involves searching domain name registry and registrar tables. The reverse DNS database of the Internet is rooted in the .arpa top-level domain.

<span class="mw-page-title-main">DNS zone</span> Administrable unit of the Domain Name System

A DNS zone is a specific portion of the DNS namespace in the Domain Name System (DNS), which a specific organization or administrator manages. A DNS zone is an administrative space allowing more granular control of the DNS components, such as authoritative nameserver. The DNS is broken up into different zones, distinctly managed areas in the DNS namespace. DNS zones are not necessarily physically separated from one another; however, a DNS zone can contain multiple subdomains, and multiple zones can exist on the same server.

Multicast DNS (mDNS) is a computer networking protocol that resolves hostnames to IP addresses within small networks that do not include a local name server. It is a zero-configuration service, using essentially the same programming interfaces, packet formats and operating semantics as unicast Domain Name System (DNS). It was designed to work as either a stand-alone protocol or compatible with standard DNS servers. It uses IP multicast User Datagram Protocol (UDP) packets and is implemented by the Apple Bonjour and open-source Avahi software packages, included in most Linux distributions. Although the Windows 10 implementation was limited to discovering networked printers, subsequent releases resolved hostnames as well. mDNS can work in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration networking technique specified separately in RFC 6763.

WHOIS is a query and response protocol that is used for querying databases that store an Internet resource's registered users or assignees. These resources include domain names, IP address blocks and autonomous systems, but it is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format. The current iteration of the WHOIS protocol was drafted by the Internet Society, and is documented in RFC 3912.

An IPv6 transition mechanism is a technology that facilitates the transitioning of the Internet from the Internet Protocol version 4 (IPv4) infrastructure in use since 1983 to the successor addressing and routing system of Internet Protocol Version 6 (IPv6). As IPv4 and IPv6 networks are not directly interoperable, transition technologies are designed to permit hosts on either network type to communicate with any other host.

A unique local address (ULA) is an Internet Protocol version 6 (IPv6) address in the address range fc00::/7. These addresses are non-globally reachable. For this reason, ULAs are somewhat analogous to IPv4 private network addressing, but with significant differences. Unique local addresses may be used freely, without centralized registration, inside a single site or organization or spanning a limited number of sites or organizations.

<span class="mw-page-title-main">IPv6 address</span> Label to identify a network interface of a computer or other network node

An Internet Protocol version 6 address is a numeric label that is used to identify and locate a network interface of a computer or a network node participating in a computer network using IPv6. IP addresses are included in the packet header to indicate the source and the destination of each packet. The IP address of the destination is used to make decisions about routing IP packets to other networks.

References

  1. 1 2 3 Y. Rekhter; B. Moskowitz; D. Karrenberg; G. J. de Groot; E. Lear (February 1996). Address Allocation for Private Internets. Network Working Group. doi: 10.17487/RFC1918 . BCP 5. RFC 1918. Updated by RFC 6761.
  2. Y. Rekhter; B. Moskowitz; D. Karrenberg; G. J. de Groot; E. Lear (February 1996). Address Allocation for Private Internets. Network Working Group. doi: 10.17487/RFC1918 . BCP 5. RFC 1918.Best Current Practice 5. Obsoletes RFC  1627 and 1597. Updated by RFC  6761.
  3. Domain names - implementation and specification (Report). Internet Engineering Task Force. November 1987.
  4. Huitema, Christian; Crawford, Matt (July 2000). DNS Extensions to Support IPv6 Address Aggregation and Renumbering (Report). Internet Engineering Task Force.
  5. Broido, Andre; Hyun, Young; Fomenkov, Marina; claffy, kc (2006-07-05). "The windows of pivate DNS updates". SIGCOMM Comput. Commun. Rev. 36 (3): 93–98. doi:10.1145/1140086.1140098. ISSN   0146-4833.
  6. 1 2 3 J. Abley; W. Sotomayor (May 2015). AS112 Nameserver Operations. IETF. doi: 10.17487/RFC7534 . RFC 7534. Obsoletes RFC 6304.
  7. J. Abley; W. Maton (July 2011). I'm Being Attacked by PRISONER.IANA.ORG!. IETF. doi: 10.17487/RFC6305 . ISSN   2070-1721. RFC 6305.
  8. "Common questions regarding abuse issues". IANA.
  9. T. Hardie (April 2002). Distributing Authoritative Name Servers via Shared Unicast Addresses. Network Working Group IETF. doi: 10.17487/RFC3258 . RFC 3258.
  10. 1 2 J. Abley; B. Dickson; W. Kumari; G. Michaelson (May 2015). AS112 Redirection Using DNAME. IETF. doi: 10.17487/RFC7535 . RFC 7535.
  11. S. Cheshire; B. Aboba; E. Guttman (May 2005). Dynamic Configuration of IPv4 Link-Local Addresses. Network Working Group IETF. doi: 10.17487/RFC3927 . RFC 3927.
  12. Pfister, Pierre; Lemon, Ted (May 2018). Special-Use Domain 'home.arpa.' (Report). Internet Engineering Task Force.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.