rfc1918 ns records coming from internet are queried?
Chris Buxton
cbuxton at menandmice.com
Wed Nov 26 19:00:59 UTC 2008
The queries from the resolver to internal name servers caused by
incorrect referrals for outside domains *should* cause no harm.
However, if you're concerned, it's pretty easy to set up a more secure
infrastructure. Put a resolver (resolving name server) at the edge of
your network (in a DMZ, presumably) that knows nothing of internal
domains (nor IP address space). It refuses to send queries to private
addresses, but will answer queries coming from them. Then set up an
internal resolver that knows about your private namespace; for any
outside domains, it forwards to the server on the edge of your
network. Have client machines send queries to the internal resolver,
not to the edge resolver.
This way, there is complete separation between inside and outside
resolution. A referral from an outside domain with a glue record
pointing inside is ignored.
Chris Buxton
Professional Services
Men & Mice
On Nov 26, 2008, at 10:43 AM, David Sparks wrote:
>>> I'm looking for a way to set a policy that named wont
>>> query
>>> rfc1918 nameserver addresses returned from a non-rfc1918 query.
>>> Would this be
>>> a bad policy?
>>
>> You could use netmasks with your server statements, like this:
>>
>> server 10.0.0.0/8 {
>> bogus yes;
>> };
>>
>> server 172.16.0.0/12 {
>> bogus yes;
>> };
>>
>> server 192.168.0.0/16 {
>> bogus yes;
>> };
>>
>> You could even then override this for specific servers in those
>> ranges, by using statements without netmasks (or more specific
>> netmasks).
>
> Thanks, that is a workaround that solves most of the problem, but
> unfortunately it is not usable. It requires that a list of the local
> organizations dns servers are maintained which is unfeasible (large,
> global,
> disparate organization). Also, IP collision between local dns
> servers and
> rogue rfc1918 responses will still send queries to the local dns
> servers.
>
>
> A good border router will do a few things for network hygiene. It
> will filter
> incoming packets that have a source address from the internal
> network, and it
> will filter outgoing packets that don't have a source IP in the
> internal network.
>
> A DNS server should do a similar thing: it will not send rfc1918
> queries to
> the internet, and it will discard rfc1918 responses from the internet.
>
> It appears Bind can't do this and I'm fine with that. This email is
> simply to
> clear up any confusion about what the issue is.
>
> ds
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list