problem with reverse lookup of private IP

Barry Margolin barmar at genuity.net
Fri Mar 8 15:19:14 UTC 2002 

In article <a69d8g$38s at pub3.rc.vix.com>,
Nathan Jones  <nathanj at optimo.com.au> wrote:
>
>On Thu, Mar 07, 2002 at 04:25:07PM -0500, Kevin Darcy wrote:
>>Yes, "strange" things happen when you don't have the appropriate RFC 1918
>>reverse zones set up in your DNS infrastructure. The "strange" thing is
>>that your nameserver(s) try to resolve those addresses from the
>>"blackhole" servers, which are perpetually overloaded.
>
>I have further question on this. In your opinion, is it okay for a
>customer to expect her ISP's nameservers to respond to queries about
>private IP addresses?

Not unless the ISP is assigning private addresses to devices under their
control.

However, we decided several years ago to configure our caching servers as
authoritative for the RFC 1918 address blocks for the benefit of our
customers.  It may not be "expected", but it seemed like a good idea to me,
and there didn't seem to be any downside.

>That is, is there any defined behaviour for an ISP to follow if they
>have no functional need to configure DNS zones for private IP space?

They should behave the same way that they do for any other domains they're
not authoritative for -- work their way down from the root servers.

>The customer in question does not wish to use an internal nameserver,
>but does expect the ISP nameservers to respond with at least a
>NXDOMAIN. Currently they time out instead (due to a routing issue I'm
>trying to get sorted out where the blackhole servers are unreachable).

Why should they respond with NXDOMAIN when the reverse domains are
legitimately delegated?

And the routing problem seems to be that the addresses of the blackhole
servers are in a reserved block that isn't being routed by any ISP:

IANA (RESERVED-2)		RESERVED-192	     192.0.0.0 - 192.0.127.255
ICANN
c/o Internet Assigned Numbers Authority (NET-ICANN) ICANN
						     192.0.32.0 - 192.0.47.255

I guess they got tired of having overloaded servers and decided to send the
queries to the bit bucket.  Although in that case I think it would have
been nicer to just remove the delegation entirely -- that would cause
everyone to return NXDOMAIN responses automatically.

I think someone in IANA has a bug up their butt about trying to convince
organizations that they shouldn't be letting these queries out of their
LAN; they seem to expect everyone who uses private addresses to run their
own internal nameservers.

-- 
Barry Margolin, barmar at genuity.net
Genuity, Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

More information about the bind-users mailing list