Why is RFC1918 space in public DNS evil?

• Previous message (by thread): Why is RFC1918 space in public DNS evil?
• Next message (by thread): Why is RFC1918 space in public DNS evil?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Matthew Palmer wrote:
> I've been directed to put all of the internal hosts and such into the public
> DNS zone for a client.  My typical policy is to have a subdomain of the zone
> served internally, and leave only the publically-reachable hosts in the
> public zone.  But this client, having a large number of hosts on RFC1918
> space and a VPN for external people to get to it, is pushing against this
> somewhat.  Their reasoning is that there's no guarantee that forwarding DNS
> down the VPN will work nicely, and it's "overhead".
> 

It can make sense:

I am sending my mails mostly from lumbamba.peter-dambier.de (192.168.48.226)
my router is krzach.peter-dambier.de (192.168.48.2)
my mailer is echnaton.peter-dambier.de (192.168.48.228)

My traceroute looks ok although some of the hosts are RFC1918
If somebody looks into my email headers they find information that makes
sense although they could not ping the hosts.

As long as you do not allow AXFR, nobody can see the information about
RFC1918 hosts. So there is no risk.

Even if they could get the data via AXFR they could not reach the hosts
behind nat.

I have seen zones allowing AXFR with lots of RFC1918 hosts. I dont see
any harm.

Leaking routing information would be evil.

> I know the common wisdom is that putting 192.168 addresses in a public
> zonefile is right up there with kicking babies who have just had their candy

It is common wisdom like the lie about spinach beeing healthy.

(It is told spinach contains iron. Well not much really. They mixed up
  milligrams and micrograms. But it does containt oxal-acid, a deadly
poison for babies)

> stolen, but I'm really struggling to come up with anything more
> authoritative than "just because, now eat your brussel sprouts".  My
> Google-fu isn't working, and none of the reasons I can come up with myself
> sound particularly convincing.  Can someone give a lucid technical
> explanation, or a link, that explains it to me so I can explain it to Those
> In Power?
> 
> Thanks,
> - Matt

Cheers
Peter and Karin

-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/

• Previous message (by thread): Why is RFC1918 space in public DNS evil?
• Next message (by thread): Why is RFC1918 space in public DNS evil?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]