Hi Julien
Yes, we are experiencing the same issues recently with ptr-requests forwarded to the iana blackhole nameservers.
# dig -x 10.0.0.100 @blackhole-1.iana.org ;; global options: +cmd ;; connection timed out; no servers could be reached
We now configured our nameservers to respond to those requests immediately without sending the queries to internet servers, which they shouldn't do anyway for RFC1918 IPs [1][2]
Regards, Christian
[1] https://deepthought.isc.org/article/AA-00800/0 [2] https://www.iana.org/help/abuse-answers -> Information about "Blackhole" Servers
2016-10-27 16:13 GMT+02:00 maj@mbuf.net:
Hi, are there some people experiencing issues on some AS when using iana blackhole nameservers for localnets?
I usually meet this response for instance: dig 172.16.1.1 @blackhole-1.iana.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34667 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;172.16.1.1. IN A
;; Query time: 46 msec ;; SERVER: 192.175.48.6#53(192.175.48.6) ;; WHEN: Thu Oct 27 16:
But I don't get any reply packet on AS8220 (COLT). dig 172.16.1.1 @blackhole-1.iana.org ;; global options: +cmd ;; connection timed out; no servers could be reached
thank you.
-- |_|0|_| julien mabillard |_|_|0| OpenPGP key fingerprint : F009 EFD0 8060 50FE DE07 4953 0E57 5BB0 8284 EF08 |0|0|0|
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
On 2016-10-27 20:13, Christian Fahrni wrote:
Hi Julien
Yes, we are experiencing the same issues recently with ptr-requests forwarded to the iana blackhole nameservers.
# dig -x 10.0.0.100 @blackhole-1.iana.org
Traceroute? :)
Those nodes are anycasted. See previous answer or google AS112.
Greets, Jeroen
:: > # dig -x 10.0.0.100 @blackhole-1.iana.org :: Traceroute? :) ::
traceroute to blackhole-1.iana.org (192.175.48.6), 64 hops max, 40 byte packets 1 gateway.ecucenter.org (193.73.242.101) 0.204 ms 0.204 ms 0.159 ms 2 213.173.181.181 (213.173.181.181) 0.843 ms 1.057 ms 0.757 ms 3 te0-1-0-0-pr2.ZRH.router.colt.net (212.74.87.3) 7.114 ms 7.611 ms 6.554 ms 4 blackhole-1.iana.org (192.175.48.6) 4.916 ms 4.643 ms 5.305 ms
I tried the COLT[0] looking glass, it gives me (Zurich): Paths: (6 available, best #5) but only 2 first paths are printed.
I know that this is kind of bad practice as any localnet should not leak with dns requests but this happenned on some mail gateway appliances that directly use root nameservers and then use them globally without caring for localnets (PTR resolution).
As workaround I will use local nameservers that correctly reply for such requests.
but still I'd like to understand what happens. We got notified last Friday afternoon of sudden stop of these responses.
I know this seems to happen same time when Dyn ddos happened. AFAIK rootnameservers were not victims of the attack.
BTW I still get an increased traffic of servfail since Friday, and those are PTR requests (not localnet).
thanks for your answers.
[0] https://portal.colt.net/lg/ --
Hi All
Yes, we are experiencing the same issues recently with ptr-requests forwarded to the iana blackhole nameservers.
# dig -x 10.0.0.100 @blackhole-1.iana.org
Traceroute? :) Those nodes are anycasted. See previous answer or google AS112.
...and when you are trying to debug AS112 stuff you normally also want to try to run this:
--snip # dig +short txt hostname.as112.arpa "Unique IP: 91.206.52.250 / 2001:7f8:24::fa" "See http://as112.net/ for more information." "AS112 at SwissIX, http://www.swissix.ch, Zurich, Switzerland" --snap
This will surface the name of the node you are ending up with. Running a traceroute will probably not help so much because, as you already correctly stated, this is an anycasted ip-address. It may point you into the right direction, but it might as well misguide you.
-
Christian Fahrni -
Jeroen Massar -
maj@mbuf.net -
Roman Hochuli