rfc1918 ns records coming from internet are queried?

Fri Nov 28 20:01:27 UTC 2008

this might also help..

http://code.google.com/p/google-dnswall

in a nutshell, its like a DNS proxy server, you can use this to forward to BIND. between your clients and your internal BIND servers.

it filters:
- Invalid IP address: an IP address that starts with 0; i.e. 0.x.x.x
- Node-Local IP address: 127.x.x.x
- Link-Local IP address: 169.254.x.x
- Site-Local IP address: 10.x.x.x, 172.x.x.x, 192.168.x.x
- Multicast IP address: 224.x.x.x

""DNSWall is a proof-of-concept (PoC) tool developed by some security researchers from Stanford University as a protection mechanism against DNS rebinding attacks.""

http://securebits.org/blog/blog.php/2008/10/15/dnswall-a-protection-mechanism-against-d

--- On Fri, 11/28/08, David Sparks <dave at ca.sophos.com> wrote:

> From: David Sparks <dave at ca.sophos.com>
> Subject: Re: rfc1918 ns records coming from internet are queried?
> To: "bind-users at isc.org" <bind-users at isc.org>
> Date: Friday, November 28, 2008, 8:29 AM
> Thanks, the suggestion below looks like it might be what
> I'm looking for.
> 
> ds
> 
> > You can in fact set up the environment I described
> using views. Just
> > have the private view forward to the internet view.
> The following
> > resolving name server will ignore referrals to private
> name servers
> > for outside names; note that it's missing the
> masters list definition
> > named "private-auth-servers", plus the
> options statement, but is
> > otherwise complete.
> > 
> > acl "private" {
> >         10/8;
> >         172.16/12;
> >         192.168/16;
> >         # does not include 127/8
> > };
> > view "private" {
> >         match-clients { private; };
> >         # forward unknown names to the internet view:
> >         forward only;
> >         forwarders { 127.0.0.1; };
> >         # stub, slave, or forward zones for the
> private namespace:
> >         zone "private.zone" {
> >                 type stub;
> >                 masters { private-auth-servers; };
> >                 file "stub.private.zone";
> >                 forwarders { }; # disable forwarding
> for stub zones
> >         };
> > };
> > view "internet" {
> >         server 10/8 { bogus yes; };
> >         server 172.16/12 { bogus yes; };
> >         server 192.168/16 { bogus yes; };
> >         allow-query { 127.0.0.1; };
> > };
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users