Blackhole Name Servers
If you are running a name server that’s serving your application or inner network in some way, and you start seeing a slowdown in reverse name resolution, you should check your logs (or if no name server logs, you can tcpdump port 53), and search for requests to BLACKHOLE-1.IANA.ORG (192.175.48.6) or BLACKHOLE-2.IANA.ORG (192.175.48.42).
When I saw these for the first time I thought it was some Chris Cornell Joke.
If you’re seeing these and experience a slowdown, you have a problem — your name server is recursing and trying to resolve addresses in the reserved private space, instead of replying with an authoritative answer, or at least replying with a redirection.
There are 2 solutions (assuming you are using bind):
- Configure your name server to be authoritative for the reserved space:
In /etc/named.conf:zone “0.0.10.in-addr.arpa” { type master; file “/var/named/0.0.10.in-addr.arpa.zone”; };
And in the zone file /var/named/10.in-addr.arpa.zone, if for example you want 10.0.0.3 to resolve to web.example.com:
$TTL 14400 @ IN SOA ns1.example.com. admin.example.com. ( 2009012501; 28800; 604800; 604800; 86400 ) IN NS ns1.example.com. 3 IN PTR web.example.com
- If you know (or can assume) there’s a name server along the way that is configured to reply authoritatively for these queries, configure your name server to not perform recursion. This way it replies to the query with “I don’t know who’s 10.0.0.3, go look for yourself, here’s a hint”.In /etc/named.conf, add in options context:
recursion no;
Since there was indeed a name server configured properly to reply for all the 10.0.0.0/8 addresses in my network, and I only configured the inner name server to reply for what the application needed, adding the no recursion option solved the problem in my case.
By the way, adding “recursion no” to a name server that is only there to serve some specific application need is good practice both security-wise and performance-wise.
Oh, and here’s what IANA have to say about the blackhole servers. Creepy.
About this entry
You’re currently reading “Blackhole Name Servers,” an entry on Life Scaling
- Published:
- 1.25.09 / 4pm
- Tags:
- BIND, blackhole, DNS, IANA, in-addr.arpa, lookup, Name Resolving, named, reverse
Follow me on Twitter: @orensol
- Hey #AWS, how about improving EBS? Maybe change underlying hardware to SSD, and make it more predictable? http://j.mp/gRG2b9
- @sebastianstadil it is indeed beautiful. It really depends on your use case and space to put it. I don't like when a printer crowds my desk.
- @sebastianstadil get one with builtin wifi (like hp1102w). Then you can throw it off wherever it fits around the house/office.
- Facebook Engineering Blog is one of the most incredible things to read on the Internet. http://j.mp/e7gFjg
- @dvirsky hehe, I read it as two different girlfriends, which made your tweet much more heart warming.
I am Oren, and this is my blog. I am a techie entrepreneur, co-founder & CTO of
No comments
Jump to comment form | comments rss [?] | trackback uri [?]