Hi Julien
Yes, we are experiencing the same issues recently with ptr-requests forwarded to the iana blackhole nameservers.
# dig -x 10.0.0.100 @blackhole-1.iana.org ;; global options: +cmd ;; connection timed out; no servers could be reached
We now configured our nameservers to respond to those requests immediately without sending the queries to internet servers, which they shouldn't do anyway for RFC1918 IPs [1][2]
Regards, Christian
[1] https://deepthought.isc.org/article/AA-00800/0 [2] https://www.iana.org/help/abuse-answers -> Information about "Blackhole" Servers
2016-10-27 16:13 GMT+02:00 maj@mbuf.net:
:: > # dig -x 10.0.0.100 @blackhole-1.iana.org :: Traceroute? :) ::
traceroute to blackhole-1.iana.org (192.175.48.6), 64 hops max, 40 byte packets 1 gateway.ecucenter.org (193.73.242.101) 0.204 ms 0.204 ms 0.159 ms 2 213.173.181.181 (213.173.181.181) 0.843 ms 1.057 ms 0.757 ms 3 te0-1-0-0-pr2.ZRH.router.colt.net (212.74.87.3) 7.114 ms 7.611 ms 6.554 ms 4 blackhole-1.iana.org (192.175.48.6) 4.916 ms 4.643 ms 5.305 ms
I tried the COLT[0] looking glass, it gives me (Zurich): Paths: (6 available, best #5) but only 2 first paths are printed.
I know that this is kind of bad practice as any localnet should not leak with dns requests but this happenned on some mail gateway appliances that directly use root nameservers and then use them globally without caring for localnets (PTR resolution).
As workaround I will use local nameservers that correctly reply for such requests.
but still I'd like to understand what happens. We got notified last Friday afternoon of sudden stop of these responses.
I know this seems to happen same time when Dyn ddos happened. AFAIK rootnameservers were not victims of the attack.
BTW I still get an increased traffic of servfail since Friday, and those are PTR requests (not localnet).
thanks for your answers.
[0] https://portal.colt.net/lg/ --
Hi All
...and when you are trying to debug AS112 stuff you normally also want to try to run this:
--snip # dig +short txt hostname.as112.arpa "Unique IP: 91.206.52.250 / 2001:7f8:24::fa" "See http://as112.net/ for more information." "AS112 at SwissIX, http://www.swissix.ch, Zurich, Switzerland" --snap
This will surface the name of the node you are ending up with. Running a traceroute will probably not help so much because, as you already correctly stated, this is an anycasted ip-address. It may point you into the right direction, but it might as well misguide you.
-
Christian Fahrni -
Jeroen Massar -
maj@mbuf.net -
Roman Hochuli