blocking resolving for 10.X.X.X addresses

[Mark_Andrews at isc.org]

> >>>>> "Steve" == Steve Foster <fosters at uk.psi.com> writes:
> 
>     Steve> we have found customers trying to resolv 10.X.X.X addresses
>     Steve> ( or any other private addresses), i want to block these so
>     Steve> they just get a "refused" or hostname etc.. not found...
> 
> Configure your name server to be authoritative for the reverse zones
> for these private address ranges. And leave the zones empty, ideally
> with a very large TTL for negative caching.
> 

	Also apply source address filters if you don't all ready
	have them on the customer facing routers.  If they are
	leaking queries for RFC 1918 reverse lookups what else are
	they leaking.  Preferably those filters should only allow
	out traffic from the address ranges they are assigned though
	if they are multi-homed there may be other addresses.

	This not only stops leaked traffic.  It also stops forged
	traffic.

	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org