Why is RFC1918 space in public DNS evil?
Michael Nicks
mtnicks at kanren.net
Mon Sep 18 12:58:07 UTC 2006
Likewise our inbound sanity route-maps deny all RFC1918 space.
--
Michael Nicks
Network Engineer
KanREN
e: mtnicks at kanren.net
o: +1-785-856-9800 x221
m: +1-913-378-6516
Simon Waters wrote:
> On Monday 18 Sep 2006 07:40, you wrote:
>> I know the common wisdom is that putting 192.168 addresses in a public
>> zonefile is right up there with kicking babies who have just had their
>> candy stolen, but I'm really struggling to come up with anything more
>> authoritative than "just because, now eat your brussel sprouts".
>
> I believe it is simply because the address isn't globally unique, so you may
> connect to the wrong server.
>
> So they use in "internal.example.com" and get 192.168.0.1
>
> They then terminate the VPN, try something that should connect to this server,
> and send their credentials (not over the VPN, so not encrypted perhaps) to
> some other server that promptly snaffles them (all untrusted servers are
> assumed to run honeypots, and password grabbing tools, at the very least).
>
> Of course including the DNS inside the VPN doesn't stop the addresses being
> not unique. I'm guessing the logic here is that one must flush ones DNS after
> disconnecting from a VPN that uses RFC1918 address space, and/or block
> RFC1918 addresses at routers (including client VPN hosts or routers) so that
> you don't accidentally connect to the wrong network unless a specific route
> is connected.
>
> I normally block RFC1918 at routers, ever since I found a Windows box sending
> weird traffic to 10.0.0.1 for reasons I never managed to decipher, other than
> it could. Of course my ISP both used, and routed 10.0.0.1 somewhere, so this
> random stray traffic was going somewhere (I know not where to this day).
>
> How this works out for people connection via Wireless lans, which seem
> invariably to use 192.168.0.0/24, I'm not sure, but since you read the RFC
> and used a random chunk of 10/8 internally you don't care, right?
More information about the NANOG
mailing list