Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNS requests for 1918 space

  • From: Crist Clark
  • Date: Tue Mar 16 13:10:52 2004

Geo. wrote:

Can anyone point me at any papers that talk about security issues raised by
private networks passing dns requests for RFC 1918 private address space out
to their ISP's dns servers?
I've never seen the whole paper on the topic. Leaking the fact that
you use 10.10.10.0/24 or whatever internally is not a big deal. It's
security by obscurity of the very weak kind. Anyone with half of a clue
will drop traffic with a source or destination address of their internal
RFC1918 networks at the border, (and even if one uses registered
addresses internally, you would be dropping traffic with a souce address
of the internal network from entering at the border). That's the "real"
security.

I'm aware of the issues involved with an ISP passing the requests on to the
root servers but was looking specifically for security type issues relating
to a private network passing the requests out to their ISP's dns servers.
These requests will not go to the root servers any more than any other
reverse lookups ISP's DNS,

$ dig -x 10 ns
; <<>> DiG 8.3 <<>> -x ns
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUERY SECTION:
;; 10.in-addr.arpa, type = NS, class = IN

;; ANSWER SECTION:
10.in-addr.arpa. 1W IN NS blackhole-1.iana.org.
10.in-addr.arpa. 1W IN NS blackhole-2.iana.org.

;; ADDITIONAL SECTION:
blackhole-1.iana.org. 16m43s IN A 192.175.48.6
blackhole-2.iana.org. 16m43s IN A 192.175.48.42

;; Total query time: 53 msec
;; FROM: sec-tools.corp.globalstar.com to SERVER: default -- 207.88.152.10
;; WHEN: Tue Mar 16 09:53:44 2004

The IN-ADDR.ARPA delegations for RFC1918 space are just like any
other block. You'll just end up hitting IANA's blackhole servers,
and not all that much, the cache times are one week.

Of course, the obvious "fix" is to run your own internal DNS which
is authorative for your RFC1918 addresses.
--
Crist J. Clark crist.clark@globalstar.com
Globalstar Communications (408) 933-4387

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this e-mail in error, please contact postmaster@globalstar.com




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.