DNS Blackhole (AS112) Service

Domain Name System resolvers can erroneously perform DNS lookups associated with private-use IP addresses, which generates a significant amount of undesirable Internet traffic. To combat this, a number of "blackhole" or "sinkhole" DNS servers exist to capture this traffic and reduce the load of DNS lookups.

IANA provides parts of this infrastructure. The techniques used to blackhole this traffic use the hostnames blackhole-1.iana.org, blackhole-2.iana.org, prisoner.iana.org, blackhole.as112.arpa and empty.as112.arpa.

The primary use of these servers is for reverse DNS lookups associated with private-use IP addresses. These addresses are reserved for use on private intranets, and should never appear on the public internet. These addresses, like 192.168.0.1, are frequently used in small office or home networking products like routers, gateways, or firewalls.

Blackhole Server Operations

DNS Blackhole servers are operated by a community of volunteers who establish servers on the Internet that act as a sinkhole for the erroneous DNS traffic. These volunteers organize under the umbrella of the AS112 project — named after a designated autonomous system (AS) number used to route this traffic to the blackhole servers.

Information about the operators and how to volunteer is posted at the AS112 Project website.

Common Questions

What are "inverse" or "reverse" queries?

With normal ("forward") queries the domain-name system responds with an address (e.g., "192.0.34.162") when given a name are (e.g., "www.iana.org"). Inverse ("reverse") queries do the reverse – the domain name system returns the name ("www.iana.org") when given the address ("192.0.34.162"). While inverse queries are rare from a human perspective, some network services automatically do an inverse lookup whenever they process a request from a particular IP address, and consequently they form a significant part of DNS network traffic.

Why do we need the blackhole servers?

Strictly speaking, we don't need the blackhole servers. However, DNS clients will sometimes remember the results from previous queries (that is, "good" answers to queries are cached), and the blackhole servers are configured to return answers that DNS clients can cache. This allows the clients to rely on their cached answers, instead of sending another query, which in turn reduces the overall amount of traffic on the Internet. Since the RFC 1918 addresses should never be used on the public Internet, there should be no names in the public DNS that refer to them. Hence, an inverse lookup on one of these addresses should never work. The blackhole servers respond to these inverse queries, and always return an answer that says, authoritatively, that "this address does not exist". Because of the caching noted above, this is far better than simply not responding at all, so the blackhole servers are provided as a public service.

How busy are the blackhole servers?

While rates vary, the blackhole servers generally answer thousands of queries per second. In the past couple of years the number of queries to the blackhole servers has increased dramatically. It is believed that the large majority of those queries occur because of "leakage" from intranets that are using the RFC 1918 private addresses. This can happen if the private intranet is internally using services that automatically do reverse queries, and the local DNS resolver needs to go outside the intranet to resolve these names. For well-configured intranets, this shouldn't happen. Users of private address space should have their local DNS configured to provide responses to inverse lookups in the private address space.

It looks like the blackhole servers are attacking my network/host. Could it be that a hacker has taken over the servers, and is attacking other systems?

No system is totally safe from hackers, and the blackhole servers are no exception. However, the effect you are seeing very likely has another cause. Because of their special function, there are a number of reasons why the blackhole servers may appear in your logs or elsewhere that have nothing to do with hacking. DNS configuration, especially in an environment where the RFC 1918 addresses are being used, can be tricky. Firewall configurations can make things even more complicated. If, for example, your system is configured to allow all outgoing packets, but to block most incoming packets, then it may be that your DNS client is in fact sending inverse queries to the blackhole servers, but blocking (and logging) the returning answers.

It is also true that other activities of hackers can make the blackhole servers show up in your logs. It is possible to construct network packets with forged source addresses that are in the RFC 1918 ranges. A hacker, for example, could construct a packet that appears to come from 192.168.35.35 and send it to your network. Sometimes there are large-scal denial-of-service attacks that use a flood of such “spoofed” packets. The result might be a large number of queries coming to the blackhole servers, which may themselves be overloaded with query traffic. Under conditions of heavy load, the servers may drop packets, and not respond correctly to some queries. This may cause odd messages to appear in the error logs of either the attacking or the attacked host. (In large scale "distributed denial of service" attacks, many systems are taken over by hackers, and these systems are used to attack some victim. The owners of the attacking systems may not even be aware that they have been taken over by a hacker.)

What can I do about the messages in my logs?

The best way solve this problem is to set up DNS on your local network. Unfortunately, this can be complicated, and may not in practice be possible.

Is there anything more than just logs at issue?

Possibly. But you should make every effort to fix the problem from your end, because episodes of overload to the blackhole servers are becoming more common, and that can have more serious consequences.

Published 2010-06-15, last revised 2024-01-26.