Sorry, but the "that's what they're there for" argument is often misapplied to justify reckless, irresponsible or just plain unauthorized use of resources, and I think this is an example of that.
The AS112 project (https://www.as112.net/), who collectively run those "blackhole" servers, set them up to answer queries that leak out *unintentionally*. RFC 6303, among other documents, makes it quite clear that DNS operators SHOULD define the RFC 1918 zones, and zones associated with reverse-IPv6 and other "special" address ranges, locally, either explicitly or by using the built-in mechanisms of the DNS software, in order to *prevent* those queries leaking out and having to be answered by the AS112 servers. Your attitude of "I'll just use the AS112 servers because that's what they're there for" amounts to *abusing* resources -- that in most cases are provided by volunteers -- that was set up to help protect the Internet DNS infrastructure from misconfiguration and/or deliberate assault. Please do the right and responsible thing. Don't be part of the problem. Having said that, if, out of idle curiosity, you want to know why you're not getting answers from your closest AS112 Anycast node, I'd start by looking at the problem from the routing perspective. Anycast routing can be tricky sometimes (in my case, a traceroute shows a path going directly from our border router through some ALTER.NET hops, but your mileage may vary). Or maybe the operator of that node is having a problem with their nameserver. Another possibility is that an intermediate IPS (Intrusion Prevention System or Service), or firewall, is configured to drop your query packets or the responses (RFC 6305 focuses on that particular scenario, although its main recommendation for mitigation is to not send the queries to the AS112 servers in the first place). - Kevin -----Original Message----- From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Roberto Carna Sent: Wednesday, April 18, 2018 11:31 AM To: bind-users@lists.isc.org Subject: Re: Queries to DNS Blackholes don't respond Dear people, I know the best way is to make in-addr.arpa local zones in my BIND. But also I think the BLACKHOLE SERVERS can be used, because they were created for this reason.: respond to RFC 1918 networks queries. So why the BLACKHOLE servers don't respond anymore ? Just one time I could get a responde from them. Regards!!! 2018-04-18 11:53 GMT-03:00 /dev/rob0 <r...@gmx.co.uk>: > On Wed, Apr 18, 2018 at 11:44:27AM -0300, Roberto Carna wrote: >> Dear, I have impelmented a BIND9 server. It works OK, but some days >> ago an application failed because it needed to resolve the reverse of >> some IP addresses from range 10.x.x.x, and they waited for a long >> time and failed, because they need a NXDOMAIN fast response. >> >> I don't want to make a local zone 10.IN-ADDR.ARPA, > > You don't need to. See the "built-in empty zones" section of the BIND > 9 ARM, chapter 6. > >> because I want to >> use the two public nameservers from Internet: >> >> BLACKHOLE-1.IANA.ORG (192.175.48.6) >> BLACKHOLE-2.IANA.ORG (192.175.48.42) > > What?? Why? Those are not supposed to be used. BIND now includes > empty zones for all RFC 1918 and other reserved netblocks which > shouldn't ever appear on the open Internet. > > If you use some of these networks inside your organization, you can > have authoritative zones for the corresponding in-addr.arpa zones. > > [snip] >> Is it OK that I do? Are blackholes servers useful for this purpose ? > > Not at all. That's why we have the automatic empty zones. Sadly, > many distributors are not aware of the feature, so they distribute > named.conf with kludges. > -- > http://rob0.nodns4.us/ > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
