Authoritative dns with private IP for hostname

Darcy Kevin (FCA) kevin.darcy at fcagroup.com
Fri Jul 27 16:23:53 UTC 2018


RFC 1918 forbade the publishing of private addresses outside of the enterprise:

"Indirect references to [private] addresses should be contained within the
enterprise. Prominent examples of such references are DNS Resource
Records and other information referring to internal private
addresses. In particular, Internet service providers should take
measures to prevent such leakage."

Having said that, however, BIND doesn't prevent you publishing such addresses to the Internet, since it doesn't really know -- *cannot* know, in advance -- whether the data is going to be queried from the Internet or not.

I'm not aware of ISPs that filter customer DNS traffic for RFC 1918 addresses either.

As Greg pointed out, the addresses aren't going to be routable anyway, but even in the absence of routability, there are Information Security concerns: if someone -- let's call them a business partner -- trusts your DNS *domain*, and you publish private addresses associated with names in that domain, then a malicious actor could potentially exploit that trust to gain access to the business partner's resources, e.g. trick their browser into connecting to an internal resource on their network, that happens to have the same private address as what you published. Business partner trusts example.com (your domain), nat.example.com resolves to 10.1.1.1, malicious actor redirects a website reference to nat.example.com (which you trust) and this gives them unintentional, unauthorized access to 10.1.1.1 on business partner's network.

The basic Information Security problem with private addresses is that they are *non-unique*. This introduces ambiguity, and ambiguity produces surprises and can be exploited. Best to keep everything to do with private addresses and private namespaces within your own organization (and yes, I understand the general trend towards "eliminating the perimeter", but this needs to be done in a methodical, careful way).

																			- Kevin


-----Original Message-----
From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of Greg Rivers
Sent: Friday, July 27, 2018 12:07 PM
To: Elias Pereira <empbilly at gmail.com>
Cc: bind-users at lists.isc.org
Subject: Re: Authoritative dns with private IP for hostname

On Friday, July 27, 2018 12:59:42 Elias Pereira wrote:
> Can an authoritative dns for a domain, eg mydomain.tdl, have a 
> hostname, example, wordpress.mydomain.tdl with a private IP?
> 
Yes, but that won't be useful outside of your LAN.

> Would this be accessible from the internet via hostname, if I did a 
> nat on the firewall?
>
No, by definition, private addresses are not routable on the Internet.

--
Greg Rivers
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


More information about the bind-users mailing list