Re: Queries to DNS Blackholes don't respond

2018-04-19 Thread Roberto Carna 
Dear Darcy, now  understand what you mean.

Thanks for yor great explanation about the possible causes that
blackhole servers don't respond to me.

Thanks a lot !!!

2018-04-18 17:35 GMT-03:00 Darcy Kevin (FCA) <kevin.da...@fcagroup.com>:
> Sorry, but the "that's what they're there for" argument is often misapplied 
> to justify reckless, irresponsible or just plain unauthorized use of 
> resources, and I think this is an example of that.
>
> The AS112 project (https://www.as112.net/), who collectively run those 
> "blackhole" servers, set them up to answer queries that leak out 
> *unintentionally*. RFC 6303, among other documents, makes it quite clear that 
> DNS operators SHOULD define the RFC 1918 zones, and zones associated with 
> reverse-IPv6 and other "special" address ranges, locally, either explicitly 
> or by using the built-in mechanisms of the DNS software, in order to 
> *prevent* those queries leaking out and having to be answered by the AS112 
> servers. Your attitude of "I'll just use the AS112 servers because that's 
> what they're there for" amounts to *abusing* resources -- that in most cases 
> are provided by volunteers -- that was set up to help protect the Internet 
> DNS infrastructure from misconfiguration and/or deliberate assault. Please do 
> the right and responsible thing. Don't be part of the problem.
>
> Having said that, if, out of idle curiosity, you want to know why you're not 
> getting answers from your closest AS112 Anycast node, I'd start by looking at 
> the problem from the routing perspective. Anycast routing can be tricky 
> sometimes (in my case, a traceroute shows a path going directly from our 
> border router through some ALTER.NET hops, but your mileage may vary). Or 
> maybe the operator of that node is having a problem with their nameserver. 
> Another possibility is that an intermediate IPS (Intrusion Prevention System 
> or Service), or firewall, is configured to drop your query packets or the 
> responses (RFC 6305 focuses on that particular scenario, although its main 
> recommendation for mitigation is to not send the queries to the AS112 servers 
> in the first place).
>
> - Kevin
>
>
>
> -Original Message-
> From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Roberto Carna
> Sent: Wednesday, April 18, 2018 11:31 AM
> To: bind-users@lists.isc.org
> Subject: Re: Queries to DNS Blackholes don't respond
>
> Dear people, I know the best way is to make in-addr.arpa local zones in my 
> BIND.
>
> But also I think the BLACKHOLE SERVERS can be used, because they were created 
> for this reason.: respond to RFC 1918 networks queries.
>
> So why the BLACKHOLE servers don't respond anymore ? Just one time I could 
> get a responde from them.
>
> Regards!!!
>
> 2018-04-18 11:53 GMT-03:00 /dev/rob0 <r...@gmx.co.uk>:
>> On Wed, Apr 18, 2018 at 11:44:27AM -0300, Roberto Carna wrote:
>>> Dear, I have impelmented a BIND9 server. It works OK, but some days
>>> ago an application failed because it needed to resolve the reverse of
>>> some IP addresses from range 10.x.x.x, and they waited for a long
>>> time and failed, because they need a NXDOMAIN fast response.
>>>
>>> I don't want to make a local zone 10.IN-ADDR.ARPA,
>>
>> You don't need to.  See the "built-in empty zones" section of the BIND
>> 9 ARM, chapter 6.
>>
>>> because I want to
>>> use the two public nameservers from Internet:
>>>
>>> BLACKHOLE-1.IANA.ORG (192.175.48.6)
>>> BLACKHOLE-2.IANA.ORG (192.175.48.42)
>>
>> What??  Why?  Those are not supposed to be used.  BIND now includes
>> empty zones for all RFC 1918 and other reserved netblocks which
>> shouldn't ever appear on the open Internet.
>>
>> If you use some of these networks inside your organization, you can
>> have authoritative zones for the corresponding in-addr.arpa zones.
>>
>> [snip]
>>> Is it OK that I do? Are blackholes servers useful for this purpose ?
>>
>> Not at all.  That's why we have the automatic empty zones.  Sadly,
>> many distributors are not aware of the feature, so they distribute
>> named.conf with kludges.
>> --
>>   http://rob0.nodns4.us/
>>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bi

Re: Queries to DNS Blackholes don't respond

2018-04-18 Thread Mark Andrews 
They were created as sacrificial servers to protect the arpa servers. If you 
use RFC 1918 addresses you are supposed to run your own servers. Read RFC 1918 
about not leaking stuff. 

-- 
Mark Andrews

> On 19 Apr 2018, at 01:30, Roberto Carna  wrote:
> 
> Dear people, I know the best way is to make in-addr.arpa local zones in my 
> BIND.
> 
> But also I think the BLACKHOLE SERVERS can be used, because they were
> created for this reason.: respond to RFC 1918 networks queries.
> 
> So why the BLACKHOLE servers don't respond anymore ? Just one time I
> could get a responde from them.
> 
> Regards!!!
> 
> 2018-04-18 11:53 GMT-03:00 /dev/rob0 :
>>> On Wed, Apr 18, 2018 at 11:44:27AM -0300, Roberto Carna wrote:
>>> Dear, I have impelmented a BIND9 server. It works OK, but some days
>>> ago an application failed because it needed to resolve the reverse of
>>> some IP addresses from range 10.x.x.x, and they waited for a long time
>>> and failed, because they need a NXDOMAIN fast response.
>>> 
>>> I don't want to make a local zone 10.IN-ADDR.ARPA,
>> 
>> You don't need to.  See the "built-in empty zones" section of the
>> BIND 9 ARM, chapter 6.
>> 
>>> because I want to
>>> use the two public nameservers from Internet:
>>> 
>>> BLACKHOLE-1.IANA.ORG (192.175.48.6)
>>> BLACKHOLE-2.IANA.ORG (192.175.48.42)
>> 
>> What??  Why?  Those are not supposed to be used.  BIND now includes
>> empty zones for all RFC 1918 and other reserved netblocks which
>> shouldn't ever appear on the open Internet.
>> 
>> If you use some of these networks inside your organization, you can
>> have authoritative zones for the corresponding in-addr.arpa zones.
>> 
>> [snip]
>>> Is it OK that I do? Are blackholes servers useful for this purpose ?
>> 
>> Not at all.  That's why we have the automatic empty zones.  Sadly,
>> many distributors are not aware of the feature, so they distribute
>> named.conf with kludges.
>> --
>>  http://rob0.nodns4.us/
>>  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Queries to DNS Blackholes don't respond

2018-04-18 Thread Roberto Carna 
Dear people, I know the best way is to make in-addr.arpa local zones in my BIND.

But also I think the BLACKHOLE SERVERS can be used, because they were
created for this reason.: respond to RFC 1918 networks queries.

So why the BLACKHOLE servers don't respond anymore ? Just one time I
could get a responde from them.

Regards!!!

2018-04-18 11:53 GMT-03:00 /dev/rob0 :
> On Wed, Apr 18, 2018 at 11:44:27AM -0300, Roberto Carna wrote:
>> Dear, I have impelmented a BIND9 server. It works OK, but some days
>> ago an application failed because it needed to resolve the reverse of
>> some IP addresses from range 10.x.x.x, and they waited for a long time
>> and failed, because they need a NXDOMAIN fast response.
>>
>> I don't want to make a local zone 10.IN-ADDR.ARPA,
>
> You don't need to.  See the "built-in empty zones" section of the
> BIND 9 ARM, chapter 6.
>
>> because I want to
>> use the two public nameservers from Internet:
>>
>> BLACKHOLE-1.IANA.ORG (192.175.48.6)
>> BLACKHOLE-2.IANA.ORG (192.175.48.42)
>
> What??  Why?  Those are not supposed to be used.  BIND now includes
> empty zones for all RFC 1918 and other reserved netblocks which
> shouldn't ever appear on the open Internet.
>
> If you use some of these networks inside your organization, you can
> have authoritative zones for the corresponding in-addr.arpa zones.
>
> [snip]
>> Is it OK that I do? Are blackholes servers useful for this purpose ?
>
> Not at all.  That's why we have the automatic empty zones.  Sadly,
> many distributors are not aware of the feature, so they distribute
> named.conf with kludges.
> --
>   http://rob0.nodns4.us/
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Queries to DNS Blackholes don't respond

2018-04-18 Thread Roberto Carna 
Sorry, after query succesfully the DNS Blackholes, I repeat the
command and the same servers couldn't be reached anymore:

DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.6
;; connection timed out; no servers could be reached

DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.42
;; connection timed out; no servers could be reached

I don't know why the DNS Blackholes don't respond always.I
continue quering the DNS Blackholes and they can't be reached
anymorewhy ?

Thanks a lot again.

2018-04-18 11:44 GMT-03:00 Roberto Carna :
> Dear, I have impelmented a BIND9 server. It works OK, but some days
> ago an application failed because it needed to resolve the reverse of
> some IP addresses from range 10.x.x.x, and they waited for a long time
> and failed, because they need a NXDOMAIN fast response.
>
> I don't want to make a local zone 10.IN-ADDR.ARPA, because I want to
> use the two public nameservers from Internet:
>
> BLACKHOLE-1.IANA.ORG (192.175.48.6)
> BLACKHOLE-2.IANA.ORG (192.175.48.42)
>
> When I query these DNS's from my console from the BIND server, and
> from any host I have available here, the result is this:
>
> root@DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.6
> Using domain server:
> Name: 192.175.48.6
> Address: 192.175.48.6#53
> Aliases:
>
> 10.in-addr.arpa name server blackhole-2.iana.org.
> 10.in-addr.arpa name server blackhole-1.iana.org.
>
> and finally I get the NXDOMAIN I need:
>
> DNS:~# host -t NS 10.10.12.1 192.175.48.6
> Using domain server:
> Name: 192.175.48.6
> Address: 192.175.48.6#53
> Aliases:
>
> Host 1.12.10.10.in-addr.arpa. not found: 3(NXDOMAIN)
>
> Is it OK that I do? Are blackholes servers useful for this purpose ?
>
> Thanks a lot !!!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Queries to DNS Blackholes don't respond

2018-04-18 Thread /dev/rob0 
On Wed, Apr 18, 2018 at 11:44:27AM -0300, Roberto Carna wrote:
> Dear, I have impelmented a BIND9 server. It works OK, but some days
> ago an application failed because it needed to resolve the reverse of
> some IP addresses from range 10.x.x.x, and they waited for a long time
> and failed, because they need a NXDOMAIN fast response.
> 
> I don't want to make a local zone 10.IN-ADDR.ARPA,

You don't need to.  See the "built-in empty zones" section of the 
BIND 9 ARM, chapter 6.

> because I want to
> use the two public nameservers from Internet:
> 
> BLACKHOLE-1.IANA.ORG (192.175.48.6)
> BLACKHOLE-2.IANA.ORG (192.175.48.42)

What??  Why?  Those are not supposed to be used.  BIND now includes 
empty zones for all RFC 1918 and other reserved netblocks which 
shouldn't ever appear on the open Internet.

If you use some of these networks inside your organization, you can 
have authoritative zones for the corresponding in-addr.arpa zones.

[snip]
> Is it OK that I do? Are blackholes servers useful for this purpose ?

Not at all.  That's why we have the automatic empty zones.  Sadly, 
many distributors are not aware of the feature, so they distribute 
named.conf with kludges.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Queries to DNS Blackholes don't respond

2018-04-18 Thread Matus UHLAR - fantomas 

On 18.04.18 11:44, Roberto Carna wrote:

Dear, I have impelmented a BIND9 server. It works OK, but some days
ago an application failed because it needed to resolve the reverse of
some IP addresses from range 10.x.x.x, and they waited for a long time
and failed, because they need a NXDOMAIN fast response.



I don't want to make a local zone 10.IN-ADDR.ARPA, because I want to
use the two public nameservers from Internet:


10.* is a private IP range and noone from outside should respond it.
You MUST configure those zones yourself, unless your provider gave them to
you - in such case ask your provider.


BLACKHOLE-1.IANA.ORG (192.175.48.6)
BLACKHOLE-2.IANA.ORG (192.175.48.42)



Is it OK that I do? Are blackholes servers useful for this purpose ?


I believe that the meaning of "blackhole" is that those servers will NOT
respond.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Queries to DNS Blackholes don't respond

2018-04-18 Thread Roberto Carna 
Dear, I have impelmented a BIND9 server. It works OK, but some days
ago an application failed because it needed to resolve the reverse of
some IP addresses from range 10.x.x.x, and they waited for a long time
and failed, because they need a NXDOMAIN fast response.

I don't want to make a local zone 10.IN-ADDR.ARPA, because I want to
use the two public nameservers from Internet:

BLACKHOLE-1.IANA.ORG (192.175.48.6)
BLACKHOLE-2.IANA.ORG (192.175.48.42)

When I query these DNS's from my console from the BIND server, and
from any host I have available here, the result is this:

root@DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.6
Using domain server:
Name: 192.175.48.6
Address: 192.175.48.6#53
Aliases:

10.in-addr.arpa name server blackhole-2.iana.org.
10.in-addr.arpa name server blackhole-1.iana.org.

and finally I get the NXDOMAIN I need:

DNS:~# host -t NS 10.10.12.1 192.175.48.6
Using domain server:
Name: 192.175.48.6
Address: 192.175.48.6#53
Aliases:

Host 1.12.10.10.in-addr.arpa. not found: 3(NXDOMAIN)

Is it OK that I do? Are blackholes servers useful for this purpose ?

Thanks a lot !!!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users