rfc1918 ns records coming from internet are queried?

Chris Buxton cbuxton at menandmice.com
Wed Nov 26 19:00:59 UTC 2008 

The queries from the resolver to internal name servers caused by  
incorrect referrals for outside domains *should* cause no harm.

However, if you're concerned, it's pretty easy to set up a more secure  
infrastructure. Put a resolver (resolving name server) at the edge of  
your network (in a DMZ, presumably) that knows nothing of internal  
domains (nor IP address space). It refuses to send queries to private  
addresses, but will answer queries coming from them. Then set up an  
internal resolver that knows about your private namespace; for any  
outside domains, it forwards to the server on the edge of your  
network. Have client machines send queries to the internal resolver,  
not to the edge resolver.

This way, there is complete separation between inside and outside  
resolution. A referral from an outside domain with a glue record  
pointing inside is ignored.

Chris Buxton
Professional Services
Men & Mice

On Nov 26, 2008, at 10:43 AM, David Sparks wrote:

>>> I'm looking for a way to set a policy that named wont
>>> query
>>> rfc1918 nameserver addresses returned from a non-rfc1918 query.
>>> Would this be
>>> a bad policy?
>>
>> You could use netmasks with your server statements, like this:
>>
>> server 10.0.0.0/8 {
>>        bogus yes;
>> };
>>
>> server 172.16.0.0/12 {
>>        bogus yes;
>> };
>>
>> server 192.168.0.0/16 {
>>        bogus yes;
>> };
>>
>> You could even then override this for specific servers in those
>> ranges, by using statements without netmasks (or more specific
>> netmasks).
>
> Thanks, that is a workaround that solves most of the problem, but
> unfortunately it is not usable.  It requires that a list of the local
> organizations dns servers are maintained which is unfeasible (large,  
> global,
> disparate organization).  Also, IP collision between local dns  
> servers and
> rogue rfc1918 responses will still send queries to the local dns  
> servers.
>
>
> A good border router will do a few things for network hygiene.  It  
> will filter
> incoming packets that have a source address from the internal  
> network, and it
> will filter outgoing packets that don't have a source IP in the  
> internal network.
>
> A DNS server should do a similar thing: it will not send rfc1918  
> queries to
> the internet, and it will discard rfc1918 responses from the internet.
>
> It appears Bind can't do this and I'm fine with that.  This email is  
> simply to
> clear up any confusion about what the issue is.
>
> ds
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list