Life Scaling » Name Resolving http://orensol.com Oren Solomianik's Blog Mon, 21 Jun 2010 08:10:03 +0000 http://wordpress.org/?v=2.8.4 en hourly 1 Blackhole Name Servers http://orensol.com/2009/01/25/blackhole-name-servers/ http://orensol.com/2009/01/25/blackhole-name-servers/#comments Sun, 25 Jan 2009 16:37:37 +0000 Oren http://orensol.com/?p=49 If you are running a name server that’s serving your application or inner network in some way, and you start seeing a slowdown in reverse name resolution, you should check your logs (or if no name server logs, you can tcpdump port 53), and search for requests to BLACKHOLE-1.IANA.ORG (192.175.48.6) or BLACKHOLE-2.IANA.ORG (192.175.48.42).

When I saw [...]]]> If you are running a name server that’s serving your application or inner network in some way, and you start seeing a slowdown in reverse name resolution, you should check your logs (or if no name server logs, you can tcpdump port 53), and search for requests to BLACKHOLE-1.IANA.ORG (192.175.48.6) or BLACKHOLE-2.IANA.ORG (192.175.48.42).

When I saw these for the first time I thought it was some Chris Cornell Joke.

If you’re seeing these and experience a slowdown, you have a problem — your name server is recursing and trying to resolve addresses in the reserved private space, instead of replying with an authoritative answer, or at least replying with a redirection.

There are 2 solutions (assuming you are using bind):

  1. Configure your name server to be authoritative for the reserved space:
    In /etc/named.conf:

    zone “0.0.10.in-addr.arpa” {
type master;
file/var/named/0.0.10.in-addr.arpa.zone”;
};

    And in the zone file /var/named/10.in-addr.arpa.zone, if for example you want 10.0.0.3 to resolve to web.example.com:

    $TTL 14400
@ IN SOA ns1.example.com. admin.example.com. (
2009012501;
28800;
604800;
604800;
86400
)
 
IN NS ns1.example.com.
3 IN PTR web.example.com
  2. If you know (or can assume) there’s a name server along the way that is configured to reply authoritatively for these queries, configure your name server to not perform recursion. This way it replies to the query with “I don’t know who’s 10.0.0.3, go look for yourself, here’s a hint”.In /etc/named.conf, add in options context: 
    recursion no;

Since there was indeed a name server configured properly to reply for all the 10.0.0.0/8 addresses in my network, and I only configured the inner name server to reply for what the application needed, adding the no recursion option solved the problem in my case.

By the way, adding “recursion no” to a name server that is only there to serve some specific application need is good practice both security-wise and performance-wise.

Oh, and here’s what IANA have to say about the blackhole servers. Creepy.

]]> http://orensol.com/2009/01/25/blackhole-name-servers/feed/ 0