rfc1918 ns records coming from internet are queried?

David Sparks dave at ca.sophos.com
Wed Nov 26 18:43:15 UTC 2008


>> I'm looking for a way to set a policy that named wont
>> query
>> rfc1918 nameserver addresses returned from a non-rfc1918 query.
>> Would this be
>> a bad policy?
> 
> You could use netmasks with your server statements, like this:
> 
> server 10.0.0.0/8 {
>         bogus yes;
> };
> 
> server 172.16.0.0/12 {
>         bogus yes;
> };
> 
> server 192.168.0.0/16 {
>         bogus yes;
> };
> 
> You could even then override this for specific servers in those
> ranges, by using statements without netmasks (or more specific
> netmasks).

Thanks, that is a workaround that solves most of the problem, but
unfortunately it is not usable.  It requires that a list of the local
organizations dns servers are maintained which is unfeasible (large, global,
disparate organization).  Also, IP collision between local dns servers and
rogue rfc1918 responses will still send queries to the local dns servers.


A good border router will do a few things for network hygiene.  It will filter
incoming packets that have a source address from the internal network, and it
will filter outgoing packets that don't have a source IP in the internal network.

A DNS server should do a similar thing: it will not send rfc1918 queries to
the internet, and it will discard rfc1918 responses from the internet.

It appears Bind can't do this and I'm fine with that.  This email is simply to
clear up any confusion about what the issue is.

ds



More information about the bind-users mailing list