Where do blackhole lookups go?

Blackhole servers are a curious necessisty of the internet's domain name system designed to prevent traffic with private IP addresses propagating on to the internet as a whole.

Lets consider a mail gateway named spice.example.net wanting to send mail to woodchuck.everything2.com.

spice contacts its local DNS server, which either knows the relevant IP for woodchuck.everything2.com, or refers the request to a more authoratative source. Lets say it refers to ns1.everything2.com which gives the correct IP for the machine woodchuck. The mail is sent and all is well.

Now suppose woodchuck wants to know the hostname of the machine its receiving mail from, to inform the receiver of the mail who it came from. It therefore does a reverse lookup of the IP address. To do this it inverts the IP address (say 202.11.43.9) and appends the reverse lookup domain. The new query is for 9.43.11.202.in-addr.arpa.

The authoratative response for this will of course be the record for spice.example.net. This request was usually cached by a more local DNS server, but occasionally querying a root DNS server may be required.

All well and good then? Consider what happens if woodchuck gets a packet of the local network, say from source IP 192.168.0.23. Ordinarily the local network infrastructure of everything2.com would recognise this and resolve it correctly. Lookups of internal addresses should not have to be handled by the wider internet. Ultimately no private IP traffic (192.168.x.x) should spill on to the public internet.

However if things at everything2.com are a bit broken then reverse lookup of a local address could be a problem. Fortunately this is where blackhole servers come in to effect. Any lookup for a private address (eg. 23.0.168.192-in-addr.arpa.) is dealt with by a blackhole server as an authoratative response.

This has three immediate benefits and inummerable side effects
  • DNS servers don't get swamped handling bad requests as each blackhole server gives an authoratative response so the request doesn't propagate further to a root server
  • The address resolves to an IP that munches all traffic it receives and does nothing about it - see later
  • Prevents pollution of DNS by ensuring all servers refer private IP reverse-lookups to a blackhole server and NOT a live machine
The first part merely reduces network congestion caused by badly configured hosts - ensuring that reverse lookups to private IP's get a response quickly, affecting as few machines as possible. The second ensures malformed traffic is disposed of and not routed to an incorrect host (bad if the incorrect host doesn't want the traffic, double bad if the contents were confidential and/or unencrypted).

Blackhole servers have more uses than merely reducing DNS pollution however - mail servers use them a lot to determine if to forward mail. A quick reverse lookup to a network specialising in e-mail abuse lets it decide if mail from that host should be trusted. An example would be blackholes.mail-abuse.org

Most of this is fairly redundant since most gateways refuse to route packets with addresses confined to a prviate network block. Despite this the IANA blackhole servers handle many thousands of requests at a time. If you see DNS requests on your network being answered by an IANA blackhole server, you may want to take a serious look at how things are setup.

In short, DNS blackhole servers work quietly in the background, clearing up the trash when other people don't play nice.

NB: Yes, mail usually does contain a FROM: field, but many servers lookup and record the hostname anyway - mainly for tracing abuse and blocking open relays.

Please don't try either of these machines for connections - neither (should) exist. The exmaple.net domain is reserved and everything2.com doesn't have a machine named woodchuck (yet).

Log in or register to write something here or to contact authors.