Re: IANA Blackhole Servers Ill?
To me they do answer: ; DiG 9.1.3 -t any 10.in-addr.arpa. @blackhole-1.iana.org. ;; -HEADER- opcode: QUERY, status: NOERROR, id: 20469 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;10.in-addr.arpa. IN ANY ;; ANSWER SECTION: 10.in-addr.arpa.604800 IN SOA prisoner.iana.org. hostmaster.root-servers.org.\ 2002040800 1800 900 604800 604800 10.in-addr.arpa.604800 IN NS blackhole-1.iana.org. 10.in-addr.arpa.604800 IN NS blackhole-2.iana.org. ;; Query time: 113 msec ;; SERVER: 192.175.48.6#53(blackhole-1.iana.org.) ;; WHEN: Fri Oct 21 23:15:39 2005 ;; MSG SIZE rcvd: 162 ; DiG 9.1.3 -t any 10.in-addr.arpa. @blackhole-2.iana.org. ;; -HEADER- opcode: QUERY, status: NOERROR, id: 43116 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;10.in-addr.arpa. IN ANY ;; ANSWER SECTION: 10.in-addr.arpa.604800 IN SOA prisoner.iana.org. hostmaster.root-servers.org.\ 2002040800 1800 900 604800 604800 10.in-addr.arpa.604800 IN NS blackhole-1.iana.org. 10.in-addr.arpa.604800 IN NS blackhole-2.iana.org. ;; Query time: 112 msec ;; SERVER: 192.175.48.42#53(blackhole-2.iana.org.) ;; WHEN: Fri Oct 21 23:15:49 2005 ;; MSG SIZE rcvd: 162 Regards, Peter and Karin Dambier Crist Clark wrote: We got some very weird compaints about applications hanging. Tracked it down to reverse lookups timing out. Reverse lookups to RFC1918 space. Looks like the IANA blackhole servers for RFC1918 are not well? 1 0.0 207.88.152.10 - 192.175.48.6 DNS C 52.143.18.172.in-addr.arpa. Internet PTR ? 2 0.01375 192.175.48.6 - 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable) 3 0.68455 207.88.152.10 - 192.175.48.6 DNS C 111.143.18.172.in-addr.arpa. Internet PTR ? 4 0.00529 192.175.48.6 - 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable) 5 3.00417 207.88.152.10 - 192.175.48.42 DNS C 111.143.18.172.in-addr.arpa. Internet PTR ? 6 0.00548 192.175.48.42 - 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable) 7 0.68462 207.88.152.10 - 192.175.48.42 DNS C 69.160.18.172.in-addr.arpa. Internet PTR ? 8 0.00623 192.175.48.42 - 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable) 9 0.60348 207.88.152.10 - 192.175.48.6 DNS C 52.143.18.172.in-addr.arpa. Internet PTR ? 10 0.00523 192.175.48.6 - 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable) Looks like the hosts are up but not listening on 53/udp? Anyone else seeing this? Heard about it? (Of course, the fix is to claim authority for the RFC1918 space you are using in your own DNS servers.) -- Peter and Karin Dambier Public-Root Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-179-108-3978 (O2 Genion) +49-6252-750308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr http://www.kokoom.com/iason
RE: IANA Blackhole Servers Ill?
It is probably important to know that those servers are anycasted via the AS112 project (www.as112.net). Perhaps the AS112 operator you are seeing is having issues. You could try to identify which one and let them know. Thanks, John :) -Ursprüngliche Nachricht- Von: Peter Dambier [mailto:[EMAIL PROTECTED] Gesendet: Friday, October 21, 2005 2:20 PM An: [EMAIL PROTECTED] Cc: nanog Betreff: Re: IANA Blackhole Servers Ill? To me they do answer: ; DiG 9.1.3 -t any 10.in-addr.arpa. @blackhole-1.iana.org. ;; -HEADER- opcode: QUERY, status: NOERROR, id: 20469 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;10.in-addr.arpa. IN ANY ;; ANSWER SECTION: 10.in-addr.arpa.604800 IN SOA prisoner.iana.org. hostmaster.root-servers.org.\ 2002040800 1800 900 604800 604800 10.in-addr.arpa.604800 IN NS blackhole-1.iana.org. 10.in-addr.arpa.604800 IN NS blackhole-2.iana.org. ;; Query time: 113 msec ;; SERVER: 192.175.48.6#53(blackhole-1.iana.org.) ;; WHEN: Fri Oct 21 23:15:39 2005 ;; MSG SIZE rcvd: 162 ; DiG 9.1.3 -t any 10.in-addr.arpa. @blackhole-2.iana.org. ;; -HEADER- opcode: QUERY, status: NOERROR, id: 43116 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;10.in-addr.arpa. IN ANY ;; ANSWER SECTION: 10.in-addr.arpa.604800 IN SOA prisoner.iana.org. hostmaster.root-servers.org.\ 2002040800 1800 900 604800 604800 10.in-addr.arpa.604800 IN NS blackhole-1.iana.org. 10.in-addr.arpa.604800 IN NS blackhole-2.iana.org. ;; Query time: 112 msec ;; SERVER: 192.175.48.42#53(blackhole-2.iana.org.) ;; WHEN: Fri Oct 21 23:15:49 2005 ;; MSG SIZE rcvd: 162 Regards, Peter and Karin Dambier Crist Clark wrote: We got some very weird compaints about applications hanging. Tracked it down to reverse lookups timing out. Reverse lookups to RFC1918 space. Looks like the IANA blackhole servers for RFC1918 are not well? 1 0.0 207.88.152.10 - 192.175.48.6 DNS C 52.143.18.172.in-addr.arpa. Internet PTR ? 2 0.01375 192.175.48.6 - 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable) 3 0.68455 207.88.152.10 - 192.175.48.6 DNS C 111.143.18.172.in-addr.arpa. Internet PTR ? 4 0.00529 192.175.48.6 - 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable) 5 3.00417 207.88.152.10 - 192.175.48.42 DNS C 111.143.18.172.in-addr.arpa. Internet PTR ? 6 0.00548 192.175.48.42 - 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable) 7 0.68462 207.88.152.10 - 192.175.48.42 DNS C 69.160.18.172.in-addr.arpa. Internet PTR ? 8 0.00623 192.175.48.42 - 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable) 9 0.60348 207.88.152.10 - 192.175.48.6 DNS C 52.143.18.172.in-addr.arpa. Internet PTR ? 10 0.00523 192.175.48.6 - 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable) Looks like the hosts are up but not listening on 53/udp? Anyone else seeing this? Heard about it? (Of course, the fix is to claim authority for the RFC1918 space you are using in your own DNS servers.) -- Peter and Karin Dambier Public-Root Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-179-108-3978 (O2 Genion) +49-6252-750308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr http://www.kokoom.com/iason
Re: IANA Blackhole Servers Ill?
John van Oppen wrote: It is probably important to know that those servers are anycasted via the AS112 project (www.as112.net). Perhaps the AS112 operator you are seeing is having issues. You could try to identify which one and let them know. Three things: 1) At least one other person reports the same problem. 2) They've been going up and down, so even if you go check and it works that one time, you may have caught it up. 3) I'd try to ask it which anycast instance it is, but both are sending ICMP unreachables at the moment. A traceroute says, traceroute to 192.175.48.42 (192.175.48.42), 64 hops max, 44 byte packets [snip] 6 p4-3-0.RAR2.SanJose-CA.us.xo.net (65.106.5.161) 34.390 ms 5.774 ms 5.280 ms 7 p1-0.IR1.PaloAlto-CA.us.xo.net (65.106.5.178) 44.123 ms 21.508 ms 5.672 ms 8 207.88.240.70.ptr.us.xo.net (207.88.240.70) 5.473 ms 26.629 ms 14.045 ms 9 ix-4-6.core3.PDI-PaloAlto.Teleglobe.net (207.45.196.66) 6.637 ms 10.697 ms 5.863 ms 10 blackhole-2.iana.org (192.175.48.42) 6.547 ms 6.561 ms 8.935 ms I don't have a BGP view of the world from XO, our provider on this link. Anyone know which instance that is? It's close to Palo Alto? From, http://public.as112.net/node/2 My best guess is ISC? But F-Root seems to be OK from here, FWIW, and a traceroute to F doesn't jump through that IX. -Ursprüngliche Nachricht- Von: Peter Dambier [mailto:[EMAIL PROTECTED] Gesendet: Friday, October 21, 2005 2:20 PM An: [EMAIL PROTECTED] Cc: nanog Betreff: Re: IANA Blackhole Servers Ill? To me they do answer: ; DiG 9.1.3 -t any 10.in-addr.arpa. @blackhole-1.iana.org. ;; -HEADER- opcode: QUERY, status: NOERROR, id: 20469 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;10.in-addr.arpa. IN ANY ;; ANSWER SECTION: 10.in-addr.arpa.604800 IN SOA prisoner.iana.org. hostmaster.root-servers.org.\ 2002040800 1800 900 604800 604800 10.in-addr.arpa.604800 IN NS blackhole-1.iana.org. 10.in-addr.arpa.604800 IN NS blackhole-2.iana.org. ;; Query time: 113 msec ;; SERVER: 192.175.48.6#53(blackhole-1.iana.org.) ;; WHEN: Fri Oct 21 23:15:39 2005 ;; MSG SIZE rcvd: 162 ; DiG 9.1.3 -t any 10.in-addr.arpa. @blackhole-2.iana.org. ;; -HEADER- opcode: QUERY, status: NOERROR, id: 43116 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;10.in-addr.arpa. IN ANY ;; ANSWER SECTION: 10.in-addr.arpa.604800 IN SOA prisoner.iana.org. hostmaster.root-servers.org.\ 2002040800 1800 900 604800 604800 10.in-addr.arpa.604800 IN NS blackhole-1.iana.org. 10.in-addr.arpa.604800 IN NS blackhole-2.iana.org. ;; Query time: 112 msec ;; SERVER: 192.175.48.42#53(blackhole-2.iana.org.) ;; WHEN: Fri Oct 21 23:15:49 2005 ;; MSG SIZE rcvd: 162 Regards, Peter and Karin Dambier Crist Clark wrote: We got some very weird compaints about applications hanging. Tracked it down to reverse lookups timing out. Reverse lookups to RFC1918 space. Looks like the IANA blackhole servers for RFC1918 are not well? 1 0.0 207.88.152.10 - 192.175.48.6 DNS C 52.143.18.172.in-addr.arpa. Internet PTR ? 2 0.01375 192.175.48.6 - 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable) 3 0.68455 207.88.152.10 - 192.175.48.6 DNS C 111.143.18.172.in-addr.arpa. Internet PTR ? 4 0.00529 192.175.48.6 - 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable) 5 3.00417 207.88.152.10 - 192.175.48.42 DNS C 111.143.18.172.in-addr.arpa. Internet PTR ? 6 0.00548 192.175.48.42 - 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable) 7 0.68462 207.88.152.10 - 192.175.48.42 DNS C 69.160.18.172.in-addr.arpa. Internet PTR ? 8 0.00623 192.175.48.42 - 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable) 9 0.60348 207.88.152.10 - 192.175.48.6 DNS C 52.143.18.172.in-addr.arpa. Internet PTR ? 10 0.00523 192.175.48.6 - 207.88.152.10 ICMP Destination unreachable (UDP port 53 unreachable) Looks like the hosts are up but not listening on 53/udp? Anyone else seeing this? Heard about it? (Of course, the fix is to claim authority for the RFC1918 space you are using in your own DNS servers.) -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review
Re: IANA Blackhole Servers Ill?
Crist Clark wrote:
We got some very weird compaints about applications hanging. Tracked
it down to reverse lookups timing out. Reverse lookups to RFC1918 space.
Looks like the IANA blackhole servers for RFC1918 are not well?
From my location (Comcast cable modem in LA) I can see the IANA servers, and
they are answering queries.
(Of course, the fix is to claim authority for the RFC1918 space you are
using in your own DNS servers.)
It's arguably a good idea for resolving name servers to be authoritative for
all the 1918 space, as well as the zones recommended in RFC 1912
(ftp://ftp.rfc-editor.org/in-notes/rfc1912.txt). You can set up an empty
zone file (just SOA and NS), and do something like this:
zone 10.in-addr.arpa { type master; file master/empty.db; };
zone 16.172.in-addr.arpa { type master; file master/empty.db; };
zone 17.172.in-addr.arpa { type master; file master/empty.db; };
zone 18.172.in-addr.arpa { type master; file master/empty.db; };
zone 19.172.in-addr.arpa { type master; file master/empty.db; };
zone 20.172.in-addr.arpa { type master; file master/empty.db; };
zone 21.172.in-addr.arpa { type master; file master/empty.db; };
zone 22.172.in-addr.arpa { type master; file master/empty.db; };
zone 23.172.in-addr.arpa { type master; file master/empty.db; };
zone 24.172.in-addr.arpa { type master; file master/empty.db; };
zone 25.172.in-addr.arpa { type master; file master/empty.db; };
zone 26.172.in-addr.arpa { type master; file master/empty.db; };
zone 27.172.in-addr.arpa { type master; file master/empty.db; };
zone 28.172.in-addr.arpa { type master; file master/empty.db; };
zone 29.172.in-addr.arpa { type master; file master/empty.db; };
zone 30.172.in-addr.arpa { type master; file master/empty.db; };
zone 31.172.in-addr.arpa { type master; file master/empty.db; };
zone 168.192.in-addr.arpa { type master; file master/empty.db; };
Any more specific zones that you add for space that you're actually using
will be effective for those blocks instead of the more generic definitions
(at least in modern versions of BIND).
hth,
Doug
Re: IANA Blackhole Servers Ill?
On Fri, 21 Oct 2005, Crist Clark wrote: 2) They've been going up and down, so even if you go check and it works that one time, you may have caught it up. Something's definitely going on, as the server at ISC seems to be coming and going in operation. 3) I'd try to ask it which anycast instance it is, but both are sending ICMP unreachables at the moment. A traceroute says, Always can be gleaned from this: dig @prisoner.iana.org hostname.as112.net any Which, from my local ISP's point of view (Sympatico in Canada) seems to yield different answers. wfms
Re: IANA Blackhole Servers Ill?
Looks like it was ISC? And they withdrewn their routes for a bit? For a while I got (from XO in CA), $ host -t txt -c chaos hostname.bind 192.175.48.6 Using domain server 192.175.48.6: hostname.bind CHAOS descriptive text black-1.sth.netnod.se Goin' transatlantic! Traceroutes seemed to verify. But now I'm back on, $ host -t txt -c chaos hostname.bind 192.175.48.6 Using domain server 192.175.48.6: hostname.bind CHAOS descriptive text hazel.isc.org ISC. Got a note from an ISC reader verifying they are/were having issues with their AS112 server. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
