Why is RFC1918 space in public DNS evil?

Gadi Evron ge at linuxbox.org
Mon Sep 18 13:15:40 UTC 2006

On Mon, 18 Sep 2006, Fred Baker wrote:
> > I know the common wisdom is that putting 192.168 addresses in a  
> > public zonefile is right up there with kicking babies who have just  
> > had their candy stolen, but I'm really struggling to come up with  
> > anything more authoritative than "just because, now eat your  
> > brussel sprouts".
> I think the best answer to that is to turn it on its head.
> As Joe points out, exposing interior information unnecessarily is a  
> security risk - leaving a treasure map with "X marks the spot"  
> invites pirates of all sorts. In this case, it is not only exposing  
> interior information (the.host.you.want.to.attack.example.com)  
> unnecessarily, but also in a way that doesn't actually help anyone  
> else. The address of my telephone is But do a  
> traceroute to that address (ar the address of my family computer,  
> which is, and I about guarantee that you will come to a  
> different computer, for the simple reason that you aren't in any of  
> my private domains.

A good illustration would be:

Etc. Which are not necessarily accesible from the orld.

> So putting those addresses in the public DNS actually *only* helps me  
> if I am someone who is bombarding your prophylactic defenses with  
> messages intended to reach your chewy innards. Anyone else has no  
> actual use for the internal addresses.
> I think the right question for your client is: "why exactly did you  
> want to do that?"

More information about the NANOG mailing list