[dns-operations] Looking for a public blackhole/sinkhole IP address
edmonds at mycre.ws
Wed Nov 26 23:43:23 UTC 2014
Joe Abley wrote:
> On 26 Nov 2014, at 14:06, Warren Kumari <warren at kumari.net> wrote:
> > What's wrong with 127.0.0.1? It makes it clear what the intent is, and
> > you don't get a much more distributed sinkhole than that...
> I'm always wary of using 127.0.0.1 for anything that doesn't really mean "you should talk to yourself". Without a comprehensive knowledge of the impact, you don't know what you're blowing up.
Indeed, some recursive DNS servers won't even attempt to send queries to
127.0.0.1 by default. (Unbound's "do-not-query-localhost: yes"
> > If there really is a use case, let's try and get a block allocated,
> > and encourage folk to anycast -> null0 for this.
> Needs text. Not submitted. Co-authors welcome.
A common method for dealing with unwanted traffic is to direct that
traffic at nominated addresses within a network that are null-routed;
that is, packets with such destination addresses are discarded
silently by routers with a null route for that destination
configured. These addresses are colloquially known as sinkholes, by
analogy with the same term used in Physical Geography to describe a
hole in the ground formed by some form of collapse of the surface
layer, into which objects may fall and be lost forever.
My colloquial understanding is that a "blackhole" discards traffic while
a "sinkhole" is a routed network address which gathers information from
the inbound packets. Some even use the term "sinkhole" to mean a
network address that returns application-specific responses. E.g., the
Conficker Working Group deployed "HTTP sinkholes" which listen on 80/tcp
and capture HTTP requests from infected hosts.
So, I would consider s/sinkhole/blackhole/g, at least.
More information about the dns-operations