[as112-ops] Blocklist for AS112 servers?
Cox, Kenneth N
kenneth_n_cox at optum.com
Wed Jul 12 19:56:34 UTC 2023
Thank you.
I have already stopped sending DNS to the IANA servers, but corporate paperwork requires me to try and find out why it stopped to begin with.
-----Original Message-----
From: Matthew Pounsett <matt at dns-oarc.net>
Sent: Wednesday, July 12, 2023 2:34 PM
To: Cox, Kenneth N <kenneth_n_cox at optum.com>
Cc: as112-ops at lists.dns-oarc.net
Subject: Re: [as112-ops] Blocklist for AS112 servers?
> On Jul 12, 2023, at 12:06, Cox, Kenneth N via as112-ops <as112-ops at dns-oarc.net> wrote:
>
>
> From: "Cox, Kenneth N" <kenneth_n_cox at optum.com>
> Subject: Blocklist for AS112 servers?
> Date: July 12, 2023 at 12:06:22 EDT
> To: "as112-ops at lists.dns-oarc.net" <as112-ops at lists.dns-oarc.net>
>
>
> My organization, Optum / UnitedHealthGroup, has been sending DNS
> traffic to the iana blackhole servers at 192.175.48.6 and
> 192.175.48.42- from the following ip addresses:
> 198.203.177.177
> 198.203.175.175
> 198.203.181.181 As of June 7 we stopped receiving replies from the blackhole servers.
> I am trying to diagnose whether this is a routing issue or whether we
> have been blocked for high traffic volume.
> Is there a blocklist for servers used by iana blackhole servers?
There's no general blocklist. And rather than you being blocked, it seems much more likely there's a configuration issue at which ever node is receiving your queries.
As the blackhole servers are anycasted across dozens of organizations, there's no easy central way to figure out where your queries are going. If you can trace to the name server addresses from the affected servers, that will help narrow down which organization/instance is actually receiving your queries. I usually suggest `mtr -wb <address>` to people, for that.
You can compare the host names of the last few hops, or look at whois for the IP addresses of those hops, to figure out what organization is at the end of the trace route, and compare that to the operator listing at <https://www.as112.net/ops-listing.html>.
If that doesn't pan out, it's possible someone on this list might recognize their own network in the trace.
Of course, you could solve the entire problem by configuring your name servers not to send queries to the blackhole servers, by answering for the RFC1918 address blocks themselves. The reason the AS112 "blackhole" servers are there are to collect queries that should never see the public Internet anyway.
Matt Pounsett
DNS-OARC Systems Engineering
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or intended recipient’s authorized agent, the reader is hereby
notified that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
More information about the as112-ops
mailing list