[dns-operations] Looking for a public blackhole/sinkhole IP address

Mark Andrews marka at isc.org
Thu Nov 27 03:37:35 UTC 2014


In message <547691E9.1080607 at redbarn.org>, Paul Vixie writes:
> 
> > Robert Edmonds <mailto:edmonds at mycre.ws>
> > Wednesday, November 26, 2014 4:59 PM
> >
> > What about specifying *no* nameservers? That is, delegating the domain
> > name to a nonexistent nameserver name within an intentionally empty
> > sacrificial zone with a lengthy negative TTL.
> 
> experience and observation say that even with a lengthy negative ttl,
> there will be an awful lot of queries sent to the closest enclosing NS
> RRset for that nameserver name. there would also be a large volume of
> syslog traffic worldwide concerning this misconfiguration.
> 
> something like AS112 would be best -- a real address that can be sunk or
> dunked by anyone.
> 
> -- 
> Paul Vixie
> 

I would say CNAME/DNAME with a week long ttl to one of the non RFC
1918 or ULA default local zones but IANA has been tardy about getting
the insecure delegations in place to break the DNSSEC chains of
trust.  That way default local zone aware recursive servers would
answer negatively to the querier and you have a long lived cached
record to slow the rate of queries from the recursive servers.

e.g. 0.in-addr.arpa.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list