Queries regarding forwarders

Grant Taylor gtaylor at tnetconsulting.net
Thu Oct 25 21:34:36 UTC 2018


On 10/25/2018 03:25 PM, Lee wrote:
> I feel like I'm missing something :(

I'll see if I can fill in below.

> I read this 
> https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 
> and used RPZ to block anything coming from outside that might be an 
> internal address.

I'll read that and reply later if I feel it's warranted.

> I'm missing what filtering out things like benchmarking & documentation 
> network addrs gets you beyond maybe saving some bandwidth?

Probably not much for most people.

I do use all sorts of IP ranges (test networks extensively) in my home / 
lab networks.  So I'd really rather external things not resolve to an 
address that I may be using.  But that's me being atypical.

> Same deal with using RPZ to block IPv4 BOGONs.  What does RPZ blocking 
> get you that you don't get by blocking them on your edge routers?

Defense in depth.

It's more of an exercise of can it be done.  Read:  Can I concoct 
something that will receive feed from Team Cymru's BGP Bogon Rout Server 
and turn it into an RPZ.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181025/cc9e638e/attachment.bin>


More information about the bind-users mailing list