private address block & DNS

peter at icke-reklam.ipsec.dot..nu peter at icke-reklam.ipsec.dot..nu
Mon May 29 17:20:13 UTC 2000 

EK <ethan at inlightnet.net> wrote:
> I was wondering how to handle 192.168 address with DNS.  The way things are
> setup here, we have many hosts running behind a firewall with the 192.168
> address scheme (and only a limited number of real IPs).  I would like to be
> able to have them listed in DNS so that they are accessable via their
> hostname.domain.com ( I was hoping to have them dynamically updated via dhcp
> server).  I am under the impression I simply can't go out and make a
> 10.168.192.in-addr.arpa zone or have A records pointing to a 192.169 address
> on a server which answers  inet queries for our domain.com, or is this okay
> because this is private address space and wouldn't receive queries from any
> machines besides the one's inside our firewall?...  I also thought about
> just setting up an internal (behind-fw) name server authoritative for a dhcp
> (dhcp.domain.com) subdomain, and have that do dynamic updates for the
> 192.168 clients (ie new client -> newclient.dhcp.domain.com), and use that
> as the primary nameserver for all the clients as well.   However this seems
> like it would still run into the problem of listing a private address to the
> world (dhcp.domain.com would resolve to 192.168.x.x if queried by an inet
> host via ns1.domain.com)..  maybe this doesn't make sense and there's a much
> easier way to go about it, but I havent found it yet..

Each organization using RFC1918 addresses must handle their own address to name
mapping. And it's not as bad as it sounds (most of the time). Just let the 
internal nameserver handle those rfc1918 addresses you use.

A more difficult case is where different rfc1918 addresses is used in various places,
and no internal root-servers are used. Here all dns-servers must be aware of all 
rfc1918 net's used within the organization in order to prevent forwarding 
questions about these nets to Internet.

No address records should ever be exposed to Internet where the addresses is in 
the RFC1918 range. You may however use these inside your firewall. This is 
a case for a "split-dns".

> Thanks for any help,

> E.





-- 
--
Peter Håkanson         
        IPSec  Sverige      (At the Riverside of Gothenburg, home of Volvo)
           Sorry about my e-mail address, but i'm trying to keep spam out.
echo "peter (at) ipsec (dot) nu" | sed "s/(at)/@/g " | sed "s/(dot)/\./g"|sed "s/ //g"

More information about the bind-users mailing list