Dear Darcy, now understand what you mean. Thanks for yor great explanation about the possible causes that blackhole servers don't respond to me.
Thanks a lot !!! 2018-04-18 17:35 GMT-03:00 Darcy Kevin (FCA) <kevin.da...@fcagroup.com>: > Sorry, but the "that's what they're there for" argument is often misapplied > to justify reckless, irresponsible or just plain unauthorized use of > resources, and I think this is an example of that. > > The AS112 project (https://www.as112.net/), who collectively run those > "blackhole" servers, set them up to answer queries that leak out > *unintentionally*. RFC 6303, among other documents, makes it quite clear that > DNS operators SHOULD define the RFC 1918 zones, and zones associated with > reverse-IPv6 and other "special" address ranges, locally, either explicitly > or by using the built-in mechanisms of the DNS software, in order to > *prevent* those queries leaking out and having to be answered by the AS112 > servers. Your attitude of "I'll just use the AS112 servers because that's > what they're there for" amounts to *abusing* resources -- that in most cases > are provided by volunteers -- that was set up to help protect the Internet > DNS infrastructure from misconfiguration and/or deliberate assault. Please do > the right and responsible thing. Don't be part of the problem. > > Having said that, if, out of idle curiosity, you want to know why you're not > getting answers from your closest AS112 Anycast node, I'd start by looking at > the problem from the routing perspective. Anycast routing can be tricky > sometimes (in my case, a traceroute shows a path going directly from our > border router through some ALTER.NET hops, but your mileage may vary). Or > maybe the operator of that node is having a problem with their nameserver. > Another possibility is that an intermediate IPS (Intrusion Prevention System > or Service), or firewall, is configured to drop your query packets or the > responses (RFC 6305 focuses on that particular scenario, although its main > recommendation for mitigation is to not send the queries to the AS112 servers > in the first place). > > - Kevin > > > > -----Original Message----- > From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Roberto Carna > Sent: Wednesday, April 18, 2018 11:31 AM > To: bind-users@lists.isc.org > Subject: Re: Queries to DNS Blackholes don't respond > > Dear people, I know the best way is to make in-addr.arpa local zones in my > BIND. > > But also I think the BLACKHOLE SERVERS can be used, because they were created > for this reason.: respond to RFC 1918 networks queries. > > So why the BLACKHOLE servers don't respond anymore ? Just one time I could > get a responde from them. > > Regards!!! > > 2018-04-18 11:53 GMT-03:00 /dev/rob0 <r...@gmx.co.uk>: >> On Wed, Apr 18, 2018 at 11:44:27AM -0300, Roberto Carna wrote: >>> Dear, I have impelmented a BIND9 server. It works OK, but some days >>> ago an application failed because it needed to resolve the reverse of >>> some IP addresses from range 10.x.x.x, and they waited for a long >>> time and failed, because they need a NXDOMAIN fast response. >>> >>> I don't want to make a local zone 10.IN-ADDR.ARPA, >> >> You don't need to. See the "built-in empty zones" section of the BIND >> 9 ARM, chapter 6. >> >>> because I want to >>> use the two public nameservers from Internet: >>> >>> BLACKHOLE-1.IANA.ORG (192.175.48.6) >>> BLACKHOLE-2.IANA.ORG (192.175.48.42) >> >> What?? Why? Those are not supposed to be used. BIND now includes >> empty zones for all RFC 1918 and other reserved netblocks which >> shouldn't ever appear on the open Internet. >> >> If you use some of these networks inside your organization, you can >> have authoritative zones for the corresponding in-addr.arpa zones. >> >> [snip] >>> Is it OK that I do? Are blackholes servers useful for this purpose ? >> >> Not at all. That's why we have the automatic empty zones. Sadly, >> many distributors are not aware of the feature, so they distribute >> named.conf with kludges. >> -- >> http://rob0.nodns4.us/ >> Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
