--- On Thu, 11/27/08, David Sparks <[EMAIL PROTECTED]> wrote:

> From: David Sparks <[EMAIL PROTECTED]>
> Subject: Re: rfc1918 ns records coming from internet are queried?
> To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
> Date: Thursday, November 27, 2008, 7:43 AM
> >> I'm looking for a way to set a policy that
> named wont
> >> query
> >> rfc1918 nameserver addresses returned from a
> non-rfc1918 query.
> >> Would this be
> >> a bad policy?
> > 
> > You could use netmasks with your server statements,
> like this:
> > 
> > server 10.0.0.0/8 {
> >         bogus yes;
> > };
> > 
> > server 172.16.0.0/12 {
> >         bogus yes;
> > };
> > 
> > server 192.168.0.0/16 {
> >         bogus yes;
> > };
> > 
> > You could even then override this for specific servers
> in those
> > ranges, by using statements without netmasks (or more
> specific
> > netmasks).
> 
> Thanks, that is a workaround that solves most of the
> problem, but
> unfortunately it is not usable.  It requires that a list of
> the local
> organizations dns servers are maintained which is
> unfeasible (large, global,
> disparate organization).  Also, IP collision between local
> dns servers and
> rogue rfc1918 responses will still send queries to the
> local dns servers.
> 
> 
> A good border router will do a few things for network
> hygiene.  It will filter
> incoming packets that have a source address from the
> internal network, and it
> will filter outgoing packets that don't have a source
> IP in the internal network.
> 
> A DNS server should do a similar thing: it will not send
> rfc1918 queries to
> the internet, and it will discard rfc1918 responses from
> the internet.
> 
> It appears Bind can't do this and I'm fine with
> that.  This email is simply to
> clear up any confusion about what the issue is.

This is an operational issue. The owner of 'ad.rice.edu' be responsible not to 
publish RRs pointing to RFC 1918 addresses, especially the glue.

split DNS or split views should have been done from their end.

> 
> ds
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


      
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to