Don’t talk to the prisoner

I know that it sounds like a bad line from a movie, but it is really a valid point in computing too. So which prisoner am I speaking of? Lets see if you can guess, so your options are:

  • The Beagle Boys, you know from Donald Duck.
  • prisoner.iana.org, one of the servers that blackholes bad DNS queries.
  • Al Capone, the famous gangster.
  • Aung San Suu Kyi, political prisoner of Burma.

Well even if I think most of these prisoners are interesting today my plan is to write about prisoner.iana.org.

Why and how we can avoid it.

Prisoner.iana.org and its buddies blackhole-1.iana.org and blackhole-2.iana.org does answer questions about RFC1918 reverse lookups that get out in the wild. So what is RFC1918, well that request for comments specifies which IPv4 addresses are allowed for private use. These addresses are used by countless companies and homes. So the reverse of a these addresses should never be sent outside of your company and home, else prisoner.iana.org or it buddies will answer.

So what reverse zones should I have in my DNS to be a good net user? There is a RFC called 6303 which specifies which reverse zones one should make sure to have:

RFC1918 reverse zones

Network Zone
10.0.0.0/8 10.in-addr.arpa
172.16.0.0/16 16.172.in-addr.arpa
172.17.0.0/16 17.172.in-addr.arpa
172.18.0.0/16 18.172.in-addr.arpa
172.19.0.0/16 19.172.in-addr.arpa
172.20.0.0/16 20.172.in-addr.arpa
172.21.0.0/16 21.172.in-addr.arpa
172.22.0.0/16 22.172.in-addr.arpa
172.23.0.0/16 23.172.in-addr.arpa
172.24.0.0/16 24.172.in-addr.arpa
172.25.0.0/16 25.172.in-addr.arpa
172.26.0.0/16 26.172.in-addr.arpa
172.27.0.0/16 27.172.in-addr.arpa
172.28.0.0/16 28.172.in-addr.arpa
172.29.0.0/16 29.172.in-addr.arpa
172.30.0.0/16 30.172.in-addr.arpa
172.31.0.0/16 31.172.in-addr.arpa
192.168.0.0/16 168.192.in-addr.arpa

Some bonuses that you should also have:

Network Zone
0.0.0.0/0 0.in-addr.arpa
127.0.0.0/8 127.in-addr.arpa
169.254.0.0/16 254.169.in-addr.arpa
255.255.255.255/32 255.255.255.255.in-addr.arpa

IPv6 reverse zones that you should consider:

Zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
d.f.ip6.arpa
8.e.f.ip6.arpa
9.e.f.ip6.arpa
a.e.f.ip6.arpa
b.e.f.ip6.arpa

So by creating these zone you can help lower the hits on the prisoner.iana.org and get a faster and more stable DNS environment.

Leave a Reply