DNS anti-spoofing
Bill Manning
bmanning at ISI.EDU
Tue Nov 27 16:48:46 UTC 2001
0.0.0.0/8 old b'cast (*)
10.0.0.0/8 RFC1918
127.0.0.0/8 Loopback
192.0.2.0/24 for documentation
192.168.0.0/16 RFC1918
172.16.0.0/12 RFC1918
169.254.0.0/16 IPv4-linklocal
255.255.255.255/32 new b'cast
224.0.0.0/3 is multicast and some folks are using/planning on using
these ranges for DNS service discovery.
the rest of the reserved ranges are currently not delegated for use but
may be released at any time by the IANA to the RIRs.
(*) while the whole /8 is not b'cast, it can be thought of that way for
most implementations.
------------------------------------------------
--bill
% I`m trying to secure my DNS server.
% blackhole { "bogusnets"; }; option is very usefull.
% but I`m confused about what kind of network prefixes should I disable?
% ===
% 0.0.0.0/8;
% 1.0.0.0/8;
% 2.0.0.0/8;
% 192.0.2.0/24;
% 224.0.0.0/3;
% 10.0.0.0/8;
% 172.16.0.0/12;
% 192.168.0.0/16;
% === - are curently in my black list. //from BIND manual
% 10.0.0.0; 172.16.0.0; 192.169.0.0 - those are private address space and should stay within AS.
% Private addresses are clear, and they are documented in rfc too!
%
% question is about RESERVED-* netblocks from RIPE.
% I can`t find any rfc where is talking about RESERVED prefixes.
%
% can someone give some advice or some url for more info ?
%
%
% _
% Artis
% http://www.ltn.lv/~ac
%
% -----BEGIN PGP SIGNATURE-----
% Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
%
% iQA/AwUBPANs9xA1N2oFI4k2EQJvpACgnA+Ci7ecRVJ1v0bDdsqvl+6RuzAAoPsI
% SROsMTqJajhjspQfhGp3HctR
% =9CEZ
% -----END PGP SIGNATURE-----
More information about the bind-users
mailing list