Blackhole server
Encyclopedia
Blackhole DNS servers are DNS
servers that return a "nonexistent address" answer to reverse DNS lookup
s for addresses reserved
for private use.
Even though traffic to or from these addresses should never appear on the public Internet, it is not uncommon for such traffic to appear anyway. Some servers are configured (usually for logging reasons) to perform a reverse DNS lookup
on clients' IP address. If the server encounters a packet originating from an RFC1918 address, it may try performing such a lookup on that address. This causes unnecessary network traffic and may also impair the functionality of the server (because the query would go unanswered and the server would have to wait for the query to time out).
has set up three special DNS servers called "blackhole servers". Currently the blackhole servers are:
These servers are registered in the DNS directory as the authoritative servers for the reverse lookup zone of the RFC1918 addresses. These servers are configured to answer any query with a "nonexistent address" answer. This helps reducing wait times because the (negative) answer is given immediately and thus no wait for a timeout is necessary. Additionally, the answer returned is also allowed to be cached by recursive DNS servers. This is especially helpful because a second lookup for the same address performed by the same node would probably be answered from the local cache instead of querying the authoritative servers again. This helps reduce the network load significantly. According to IANA, the blackhole servers receive thousands of queries every second.
Because the load on the IANA blackhole servers became very high, an alternative service, AS112
, has been created, mostly run by volunteer operators.
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
servers that return a "nonexistent address" answer to reverse DNS lookup
Reverse DNS lookup
In computer networking, reverse DNS lookup or reverse DNS resolution is the determination of a domain name that is associated with a given IP address using the Domain Name System of the Internet....
s for addresses reserved
Reserved IP addresses
In the Internet addressing architecture, certain IP addresses are reserved by the Internet Assigned Numbers Authority for special use. These addresses may be necessary for maintenance of routing tables, multicast, or operation under failure modes....
for private use.
Background
RFC 1918 reserves several ranges of network addresses for use on private intranets. This is required to avoid address collisions between nodes on the Internet and nodes on the intranet. The addresses reserved for this use by RFC 1918 are:- 10.0.0.0 – 10.255.255.255
- 172.16.0.0 – 172.31.255.255
- 192.168.0.0 – 192.168.255.255
Even though traffic to or from these addresses should never appear on the public Internet, it is not uncommon for such traffic to appear anyway. Some servers are configured (usually for logging reasons) to perform a reverse DNS lookup
Reverse DNS lookup
In computer networking, reverse DNS lookup or reverse DNS resolution is the determination of a domain name that is associated with a given IP address using the Domain Name System of the Internet....
on clients' IP address. If the server encounters a packet originating from an RFC1918 address, it may try performing such a lookup on that address. This causes unnecessary network traffic and may also impair the functionality of the server (because the query would go unanswered and the server would have to wait for the query to time out).
Role
To deal with this problem, IANAInternet Assigned Numbers Authority
The Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...
has set up three special DNS servers called "blackhole servers". Currently the blackhole servers are:
- blackhole-1.iana.org
- blackhole-2.iana.org
- prisoner.iana.org
These servers are registered in the DNS directory as the authoritative servers for the reverse lookup zone of the RFC1918 addresses. These servers are configured to answer any query with a "nonexistent address" answer. This helps reducing wait times because the (negative) answer is given immediately and thus no wait for a timeout is necessary. Additionally, the answer returned is also allowed to be cached by recursive DNS servers. This is especially helpful because a second lookup for the same address performed by the same node would probably be answered from the local cache instead of querying the authoritative servers again. This helps reduce the network load significantly. According to IANA, the blackhole servers receive thousands of queries every second.
Because the load on the IANA blackhole servers became very high, an alternative service, AS112
AS112
The AS112 project is a group of volunteer name server operators joined in an autonomous system. They run anycasted instances of the name servers that answer reverse DNS lookups for private network and link-local addresses sent to the public Internet. These queries ambiguous by their nature, and can...
, has been created, mostly run by volunteer operators.
External links
- The IANA abuse faq which contains information about the blackhole servers.