NT apparently queries the DNS server first, and we're experiencing this
leak cuz seems like WINS only comes into play when your query returns
nothing. As i believe it was in the past when you reached the rfc1918
authoritative servers.
regards,
Marcel
James Smith <[EMAIL PROTECTED]> on 04/22/99 03:47:05 AM
(Embedded image moved to file: pic21377.pcx)
To: "'Joseph S D Yao'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
cc: [EMAIL PROTECTED], James Smith <[EMAIL PROTECTED]>,
[EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] (bcc:
Marcel Gerardino/CODETEL)
Subject: RE: read-rfc1918-for-details.iana.net
OK you got me, I wrote the original one, and I run an NT network with
Service Pack 4.
I have NO internal DNS - is that so strange for a small company with 50
machines?
So my DNS is not leaking. I believe quite a few commercial packages -
WinGate for one recommend you use 192.168.x.x. one 2 to 8+ machines with
[obviously] no internal DNS.
Shouldn't NT query WINS first for a reverse lookup? That would solve a lot
of problems wouldn't it? For us and IANA!
>From RFC 1918:
[Indirect references to such addresses should be contained within
the enterprise. Prominent examples of such references are DNS Resource
Records and other information referring to internal private addresses. In
particular, Internet service providers should take measures to prevent such
leakage. ]
HOW? By stopping all reverse DNS lookups? Not practical is it?
So rfc1918 should require you to have a DNS server? This makes it a lot
more
difficult for small companies to implement 1918 addresses, couldn't DNS
servers just 'ignore' these. If I set up a machine with no DNS entries in
TCP/IP and a fixed [1918] address ping -a resolves names just fine, from
WINS I presume.
I guess it would do the same if it received no response from DNS (like it
always did?).
Or would the best fix for all be:
TCP/IP (in MS NT Environment at least) should be patched to
query WINS first, if available, then,
IF no response is received from WINS
IF and only if the address in NOT rfc1918
query DNS,
(could it query the responder of a ping? I.e. the addressee?, the host?)
ELSE trash the query
That is all, Thanks
James Smith
-----Original Message-----
From: Joseph S D Yao [mailto:[EMAIL PROTECTED]]
Sent: 22 April 1999 00:31
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Re: read-rfc1918-for-details.iana.net
> > From: James Smith <[EMAIL PROTECTED]>
> >
> > Has anyone picked up on the fact that private (rfc1918)
IP addresses
> > suddenly started resolving to
read-rfc1918-for-details.iana.net in the last
> > few days?
Yes. This was very useful in picking up the few instances
where we had
neglected to provide internal reverse DNS for those
addresses. Freaked
some people out, though. They thought that an external
agency [whoever
heard of an IANA?] had taken over some of our addressing.
;->
Those addresses are never intended to appear on the
Internet. If you
use them, you need to provide FULL support for them,
including internal
forward and reverse DNS.
Read RFC 1918 for details. ;-) ;-)
--
Joe Yao [EMAIL PROTECTED] - Joseph
S. D. Yao
COSPO/OSIS Computer Support
EMT-A/B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
(UUEncoded file named: pic21377.pcx follows)
begin 644 pic21377.pcx
M"@4!"`````#!`"L`````````````````````````````````````````````
M```````````````````````````!P@`!````````````````````````````
F````````````````````````````````````````````````````
`
end
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
