Where do blackhole lookups go?
Blackhole servers are a curious necessisty of the internet's domain name system designed to prevent traffic with private IP addresses propagating on to the internet as a whole.
Lets consider a mail gateway
wanting to send mail to woodchuck.everything2.com
contacts its local DNS
server, which either knows the relevant IP for woodchuck.everything2.com
, or refers the request to a more authoratative source. Lets say it refers to ns1.everything2.com
which gives the correct IP for the machine woodchuck
. The mail is sent and all is well.
Now suppose woodchuck
wants to know the hostname
of the machine its receiving mail from, to inform the receiver of the mail who it came from. It therefore does a reverse lookup
of the IP address. To do this it inverts the IP address (say 220.127.116.11) and appends the reverse lookup domain. The new query is for 18.104.22.168.in-addr.arpa.
The authoratative response for this will of course be the record for spice.example.net
. This request was usually cached by a more local DNS server, but occasionally querying a root DNS
server may be required.
All well and good then? Consider what happens if woodchuck
gets a packet of the local network, say from source IP 192.168.0.23. Ordinarily the local network infrastructure of everything2.com
would recognise this and resolve it correctly. Lookups of internal addresses should not have to be handled by the wider internet. Ultimately no private IP traffic (192.168.x.x) should spill on to the public internet.
However if things at everything2.com
are a bit broken then reverse lookup of a local address could be a problem. Fortunately this is where blackhole servers
come in to effect. Any lookup for a private address (eg. 22.214.171.124-in-addr.arpa.) is dealt with by a blackhole
server as an authoratative
This has three immediate benefits and inummerable side effects
- DNS servers don't get swamped handling bad requests as each blackhole server gives an authoratative response so the request doesn't propagate further to a root server
- The address resolves to an IP that munches all traffic it receives and does nothing about it - see later
- Prevents pollution of DNS by ensuring all servers refer private IP reverse-lookups to a blackhole server and NOT a live machine
The first part merely reduces network congestion
caused by badly configured hosts - ensuring that reverse lookups to private IP's get a response quickly, affecting as few machines as possible. The second ensures malformed
traffic is disposed
of and not routed
to an incorrect host (bad if the incorrect host doesn't want the traffic, double bad if the contents were confidential
servers have more uses than merely reducing DNS pollution
however - mail servers
use them a lot to determine if to forward mail. A quick reverse lookup
to a network specialising in e-mail abuse lets it decide if mail from that host should be trusted. An example would be blackholes.mail-abuse.org
Most of this is fairly redundant since most gateways refuse to route packets with addresses confined to a prviate network block. Despite this the IANA
blackhole servers handle many thousands of requests
at a time. If you see DNS requests on your network being answered by an IANA
blackhole server, you may want to take a serious look at how things are setup.
In short, DNS blackhole
servers work quietly in the background, clearing up the trash when other people don't play nice.
NB: Yes, mail usually does contain a FROM: field, but many servers lookup and record the hostname
anyway - mainly for tracing abuse
and blocking open relays
Please don't try either of these machines for connections - neither (should) exist. The exmaple.net domain is reserved and everything2.com doesn't have a machine named woodchuck (yet).