Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Why is RFC1918 space in public DNS evil?

  • From: Michael Nicks
  • Date: Mon Sep 18 09:08:22 2006

Likewise our inbound sanity route-maps deny all RFC1918 space.

--
Michael Nicks
Network Engineer
KanREN
e: mtnicks@kanren.net
o: +1-785-856-9800 x221
m: +1-913-378-6516



Simon Waters wrote:
On Monday 18 Sep 2006 07:40, you wrote:
I know the common wisdom is that putting 192.168 addresses in a public
zonefile is right up there with kicking babies who have just had their
candy stolen, but I'm really struggling to come up with anything more
authoritative than "just because, now eat your brussel sprouts".
I believe it is simply because the address isn't globally unique, so you may connect to the wrong server.

So they use in "internal.example.com" and get 192.168.0.1

They then terminate the VPN, try something that should connect to this server, and send their credentials (not over the VPN, so not encrypted perhaps) to some other server that promptly snaffles them (all untrusted servers are assumed to run honeypots, and password grabbing tools, at the very least).

Of course including the DNS inside the VPN doesn't stop the addresses being not unique. I'm guessing the logic here is that one must flush ones DNS after disconnecting from a VPN that uses RFC1918 address space, and/or block RFC1918 addresses at routers (including client VPN hosts or routers) so that you don't accidentally connect to the wrong network unless a specific route is connected.

I normally block RFC1918 at routers, ever since I found a Windows box sending weird traffic to 10.0.0.1 for reasons I never managed to decipher, other than it could. Of course my ISP both used, and routed 10.0.0.1 somewhere, so this random stray traffic was going somewhere (I know not where to this day).

How this works out for people connection via Wireless lans, which seem invariably to use 192.168.0.0/24, I'm not sure, but since you read the RFC and used a random chunk of 10/8 internally you don't care, right?








Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.