On Tue, 16 Mar 2004 11:22:55 EST, Geo. [EMAIL PROTECTED] said:
I'm aware of the issues involved with an ISP passing the requests on to the
root servers but was looking specifically for security type issues relating
to a private network passing the requests out to their ISP's dns servers.
Geo. wrote:
Can anyone point me at any papers that talk about security issues raised by
private networks passing dns requests for RFC 1918 private address space out
to their ISP's dns servers?
I've never seen the whole paper on the topic. Leaking the fact that
you use 10.10.10.0/24 or whatever
Can anyone point me at any papers that talk about security issues raised by
private networks passing dns requests for RFC 1918 private address space out
to their ISP's dns servers?
I'm aware of the issues involved with an ISP passing the requests on to the
root servers but was looking
On 16 Mar 2004, at 13:07, Crist Clark wrote:
The IN-ADDR.ARPA delegations for RFC1918 space are just like any
other block. You'll just end up hitting IANA's blackhole servers,
and not all that much, the cache times are one week.
Also, those blackhole servers are anycast, so they might even be
On 16.03 11:22, Geo. wrote:
Can anyone point me at any papers that talk about security issues raised by
private networks passing dns requests for RFC 1918 private address space out
to their ISP's dns servers?
RFC1918
The IN-ADDR.ARPA delegations for RFC1918 space are just like any
other block. You'll just end up hitting IANA's blackhole servers,
and not all that much, the cache times are one week.
In theory, yes.
In reality there are quite a few resolvers that, apparently, do not
receive the delegation
On Tue, 16 Mar 2004 10:08:28 PST, bill said:
http://www.nanog.org/mtg-0210/wessels.html
has some very good information about some of the
problems w/ leaked queries.
http://as112.net/ has some mitigation stratagies.
That mitigates the issue, but fails to deal with
Duane Wessels wrote:
The IN-ADDR.ARPA delegations for RFC1918 space are just like any
other block. You'll just end up hitting IANA's blackhole servers,
and not all that much, the cache times are one week.
In theory, yes.
In reality there are quite a few resolvers that, apparently, do not