Where do blackhole lookups go?
Blackhole servers are a curious necessisty of the internet's domain name system designed to prevent traffic with private IP addresses propagating on to the internet as a whole.
Lets consider a
mail gateway named
spice.example.net wanting to send mail to
woodchuck.everything2.com.
spice contacts its local
DNS server, which either knows the relevant IP for
woodchuck.everything2.com, or refers the request to a more authoratative source. Lets say it refers to
ns1.everything2.com which gives the correct IP for the machine
woodchuck. The mail is sent and all is well.
Now suppose
woodchuck wants to know the
hostname of the machine its receiving mail from, to inform the receiver of the mail who it came from. It therefore does a
reverse lookup of the IP address. To do this it inverts the IP address (say 202.11.43.9) and appends the reverse lookup domain. The new query is for 9.43.11.202.in-addr.arpa.
The authoratative response for this will of course be the record for
spice.example.net. This request was usually cached by a more local DNS server, but occasionally querying a
root DNS server may be required.
All well and good then? Consider what happens if
woodchuck gets a packet of the local network, say from source IP 192.168.0.23. Ordinarily the local network infrastructure of
everything2.com would recognise this and resolve it correctly. Lookups of internal addresses should not have to be handled by the wider internet. Ultimately no private IP traffic (192.168.x.x) should spill on to the public internet.
However if things at
everything2.com are a bit broken then reverse lookup of a local address could be a problem. Fortunately this is where
blackhole servers come in to effect. Any lookup for a private address (eg. 23.0.168.192-in-addr.arpa.) is dealt with by a
blackhole server as an
authoratative response.
This has three immediate benefits and inummerable side effects
- DNS servers don't get swamped handling bad requests as each blackhole server gives an authoratative response so the request doesn't propagate further to a root server
- The address resolves to an IP that munches all traffic it receives and does nothing about it - see later
- Prevents pollution of DNS by ensuring all servers refer private IP reverse-lookups to a blackhole server and NOT a live machine
The first part merely reduces
network congestion caused by badly configured hosts - ensuring that reverse lookups to private IP's get a response quickly, affecting as few machines as possible. The second ensures
malformed traffic is
disposed of and not
routed to an incorrect host (bad if the incorrect host doesn't want the traffic, double bad if the contents were
confidential and/or
unencrypted).
Blackhole servers have more uses than merely reducing
DNS pollution however -
mail servers use them a lot to determine if to forward mail. A quick
reverse lookup to a network specialising in e-mail abuse lets it decide if mail from that host should be trusted. An example would be
blackholes.mail-abuse.org
Most of this is fairly redundant since most gateways refuse to route packets with addresses confined to a prviate network block. Despite this the
IANA blackhole servers handle many thousands of
requests at a time. If you see DNS requests on your network being answered by an
IANA blackhole server, you may want to take a serious look at how things are setup.
In short,
DNS blackhole servers work quietly in the background, clearing up the trash when other people don't play nice.
NB: Yes, mail usually does contain a FROM: field, but many servers lookup and record the
hostname anyway - mainly for tracing
abuse and blocking
open relays.
Please don't try either of these machines for connections - neither (should) exist. The exmaple.net domain is reserved and everything2.com doesn't have a machine named woodchuck (yet).