shadow namespace?

Joseph S D Yao jsdy at center.osis.gov
Thu Oct 10 03:41:13 UTC 2002


On Wed, Oct 09, 2002 at 04:30:53PM -0700, Jeff Lasman wrote:
...
> The domain is nobaloney.net.  I've got public services, and private
> machine names.  For example, www, mail, pop, etc., have published
> internet-accessible IP#s, while machine names, such as jesse, elijah,
> joshua, etc., have private IP#s.  It seems very convenient to me to just
> list them all in my publically accessible zone-file.  Just what in the
> way of security, or anything else, am I giving up, with this technique?
...

You can do that.  If you have nothing tempting, then it doesn't matter.
However, if you do have something tempting, then this would be putting
temptation out on the 'Net.  Face it, this kind of obscurity just keeps
honest people honest.  But that's worth something.

Also, it sounds like you have all of your "important" hosts on the DMZ,
where they're vulnerable anyway, or perhaps just not NATted.  If you
have a true proxy firewall, the external MX record for your domain will
be different from the internal one.  The name servers will be
different.  As will the IP addresses of your firewall bastion hosts,
etc.

If you have private IP addresses on the public Internet, there is also
the possibility that someone will try to get to one of them ... or that
you will someday by accident [unless you are He Who Does Not Have Any
Accidents] assign a private IP address to something that has a public
function.  Both will cause unexpected things to happening, violating
the Law of Least Surprise.

HTH.

-- 
Joe Yao				jsdy at center.osis.gov - Joseph S. D. Yao
OSIS Center Systems Support					EMT-B
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.


More information about the bind-users mailing list