Queries to DNS Blackholes don't respond

Mark Andrews marka at isc.org
Wed Apr 18 20:32:05 UTC 2018


They were created as sacrificial servers to protect the arpa servers. If you use RFC 1918 addresses you are supposed to run your own servers. Read RFC 1918 about not leaking stuff. 

-- 
Mark Andrews

> On 19 Apr 2018, at 01:30, Roberto Carna <robertocarna36 at gmail.com> wrote:
> 
> Dear people, I know the best way is to make in-addr.arpa local zones in my BIND.
> 
> But also I think the BLACKHOLE SERVERS can be used, because they were
> created for this reason.: respond to RFC 1918 networks queries.
> 
> So why the BLACKHOLE servers don't respond anymore ? Just one time I
> could get a responde from them.
> 
> Regards!!!
> 
> 2018-04-18 11:53 GMT-03:00 /dev/rob0 <rob0 at gmx.co.uk>:
>>> On Wed, Apr 18, 2018 at 11:44:27AM -0300, Roberto Carna wrote:
>>> Dear, I have impelmented a BIND9 server. It works OK, but some days
>>> ago an application failed because it needed to resolve the reverse of
>>> some IP addresses from range 10.x.x.x, and they waited for a long time
>>> and failed, because they need a NXDOMAIN fast response.
>>> 
>>> I don't want to make a local zone 10.IN-ADDR.ARPA,
>> 
>> You don't need to.  See the "built-in empty zones" section of the
>> BIND 9 ARM, chapter 6.
>> 
>>> because I want to
>>> use the two public nameservers from Internet:
>>> 
>>> BLACKHOLE-1.IANA.ORG (192.175.48.6)
>>> BLACKHOLE-2.IANA.ORG (192.175.48.42)
>> 
>> What??  Why?  Those are not supposed to be used.  BIND now includes
>> empty zones for all RFC 1918 and other reserved netblocks which
>> shouldn't ever appear on the open Internet.
>> 
>> If you use some of these networks inside your organization, you can
>> have authoritative zones for the corresponding in-addr.arpa zones.
>> 
>> [snip]
>>> Is it OK that I do? Are blackholes servers useful for this purpose ?
>> 
>> Not at all.  That's why we have the automatic empty zones.  Sadly,
>> many distributors are not aware of the feature, so they distribute
>> named.conf with kludges.
>> --
>>  http://rob0.nodns4.us/
>>  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



More information about the bind-users mailing list