North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Why is RFC1918 space in public DNS evil?
On Mon, 18 Sep 2006, Fred Baker wrote: > > > I know the common wisdom is that putting 192.168 addresses in a > > public zonefile is right up there with kicking babies who have just > > had their candy stolen, but I'm really struggling to come up with > > anything more authoritative than "just because, now eat your > > brussel sprouts". > > I think the best answer to that is to turn it on its head. > > As Joe points out, exposing interior information unnecessarily is a > security risk - leaving a treasure map with "X marks the spot" > invites pirates of all sorts. In this case, it is not only exposing > interior information (the.host.you.want.to.attack.example.com) > unnecessarily, but also in a way that doesn't actually help anyone > else. The address of my telephone is 10.32.244.220. But do a > traceroute to that address (ar the address of my family computer, > which is 192.168.1.20), and I about guarantee that you will come to a > different computer, for the simple reason that you aren't in any of > my private domains. A good illustration would be: firewall.* firewall2.* radius.* exchange.* Etc. Which are not necessarily accesible from the orld. > > So putting those addresses in the public DNS actually *only* helps me > if I am someone who is bombarding your prophylactic defenses with > messages intended to reach your chewy innards. Anyone else has no > actual use for the internal addresses. > > I think the right question for your client is: "why exactly did you > want to do that?" >
|