[dns-operations] Blackhole IANA question

Frank Habicht geier at geier.ne.tz
Thu Aug 5 13:34:08 UTC 2010


On 8/5/2010 4:24 PM, Phil Regnauld wrote:
> 	You shouldn't be getting a timeout.  What you should be getting
> 	is NXDOMAIN from the blackhole servers, for anything in the RFC1918
> 	ranges.  Please use dig or host instead of nslookup, as nslookup
> 	makes a number of assumptions about your environment, and doesn't
> 	provide detailed output.

>> > Can you tell me if there is any problem with your blackhole servers ? The
>> > problem is mine?
> 	What does traceroute do these servers show ?

you shouldn't be sending out these queries in the first place.
those dns servers outside can not possibly tell you anything useful
about your internal private ip addresses. that's why they will (should)
answer NXDOMAIN.

you can look at fixing connectivity with your nearest AS112. Well, you
_should_ because there's an issue somewhere.
But you can also stop sending these queries out - have your resolvers
serve these zones directly without asking outsiders.
3 relevant documents are to become RFCs "soon".


More information about the dns-operations mailing list