Authoritative dns with private IP for hostname

Darcy Kevin (FCA) kevin.darcy at
Fri Jul 27 16:23:53 UTC 2018

RFC 1918 forbade the publishing of private addresses outside of the enterprise:

"Indirect references to [private] addresses should be contained within the
enterprise. Prominent examples of such references are DNS Resource
Records and other information referring to internal private
addresses. In particular, Internet service providers should take
measures to prevent such leakage."

Having said that, however, BIND doesn't prevent you publishing such addresses to the Internet, since it doesn't really know -- *cannot* know, in advance -- whether the data is going to be queried from the Internet or not.

I'm not aware of ISPs that filter customer DNS traffic for RFC 1918 addresses either.

As Greg pointed out, the addresses aren't going to be routable anyway, but even in the absence of routability, there are Information Security concerns: if someone -- let's call them a business partner -- trusts your DNS *domain*, and you publish private addresses associated with names in that domain, then a malicious actor could potentially exploit that trust to gain access to the business partner's resources, e.g. trick their browser into connecting to an internal resource on their network, that happens to have the same private address as what you published. Business partner trusts (your domain), resolves to, malicious actor redirects a website reference to (which you trust) and this gives them unintentional, unauthorized access to on business partner's network.

The basic Information Security problem with private addresses is that they are *non-unique*. This introduces ambiguity, and ambiguity produces surprises and can be exploited. Best to keep everything to do with private addresses and private namespaces within your own organization (and yes, I understand the general trend towards "eliminating the perimeter", but this needs to be done in a methodical, careful way).

																			- Kevin

-----Original Message-----
From: bind-users <bind-users-bounces at> On Behalf Of Greg Rivers
Sent: Friday, July 27, 2018 12:07 PM
To: Elias Pereira <empbilly at>
Cc: bind-users at
Subject: Re: Authoritative dns with private IP for hostname

On Friday, July 27, 2018 12:59:42 Elias Pereira wrote:
> Can an authoritative dns for a domain, eg mydomain.tdl, have a 
> hostname, example, wordpress.mydomain.tdl with a private IP?
Yes, but that won't be useful outside of your LAN.

> Would this be accessible from the internet via hostname, if I did a 
> nat on the firewall?
No, by definition, private addresses are not routable on the Internet.

Greg Rivers
Please visit to unsubscribe from this list

bind-users mailing list
bind-users at

More information about the bind-users mailing list