Why is RFC1918 space in public DNS evil?

Jim Mercer jim at reptiles.org
Mon Sep 18 12:55:47 UTC 2006

On Mon, Sep 18, 2006 at 08:36:44AM -0400, Daniel Senie wrote:
> At 04:33 AM 9/18/2006, Jim Mercer wrote:
> >if the hosts inside the VPN can only be accessed by hostnames served up 
> >inside
> >the VPN, then it is more likely the users can be confident that their data
> >is actually traversing the VPN.
> >
> >it works, or it don't.
> Or, the user's computer is still caching information. Internet 
> Explorer is does this, and other browsers may as well. I keep a link 
> to a script on my Windows desktop labelled "Flush DNS" and wind up 
> using it often. If the user is accessing sites across the VPN, and as 
> another poster writes the VPN drops, packets containing juicy, 
> private information could well leak out in places people didn't intend.
> As risks go, this might not be too severe in many cases, but if you 
> were doing a security assessment for sarbox or hippa, would you 
> consider it safe? Do the remote sites indeed have filters blocking 
> traffic to/from RFC1918 space that don't traverse the VPN?

maybe ut some null routes on the PC's for the blocks, and have them overridden
when the VPN comes up.  could be done as part of the install of the VPN

[ Jim Mercer        jim at reptiles.org        +971 50 436-3874 ]
[          I want to live forever, or die trying.            ]

More information about the NANOG mailing list