rfc1918 ns records coming from internet are queried?
David Sparks
dave at ca.sophos.com
Wed Nov 26 00:23:31 UTC 2008
Mark Andrews wrote:
> In message <492C8CDD.2090008 at ca.sophos.com>, David Sparks writes:
>> Problem: when querying asdf.ad.rice.edu, bind sends queries into my local
>> network (specifically to 10.129.92.100, which is not a ns) which I find
>> undesirable.
>
> Mark the servers as bogus.
Doesn't that only work on a server by server basis? rice.edu is just an
example ... I'm looking for a way to set a policy that named wont query
rfc1918 nameserver addresses returned from a non-rfc1918 query. Would this be
a bad policy?
ds
>
>> Is there any way to disable this behavior? Is it expected that bind queries
>> rfc1918 nameserver addresses from non-rfc1918 queries? I would've expected
>> something along the lines of "error: ... RFC 1918 response from Internet for
>> ...".
>>
>>
>> $ dig @ns1.rice.edu asdf.ad.rice.edu
>>
>> ; <<>> DiG 9.4.1-P1 <<>> @ns1.rice.edu asdf.ad.rice.edu
>> ; (1 server found)
>> ;; global options: printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52793
>> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4
>> ;; WARNING: recursion requested but not available
>>
>> ;; QUESTION SECTION:
>> ;asdf.ad.rice.edu. IN A
>>
>> ;; AUTHORITY SECTION:
>> ad.rice.edu. 3600 IN NS support-dc7.rice.edu.
>> ad.rice.edu. 3600 IN NS support-dc6.rice.edu.
>> ad.rice.edu. 3600 IN NS support-dc5.rice.edu.
>> ad.rice.edu. 3600 IN NS support-dc4.rice.edu.
>>
>> ;; ADDITIONAL SECTION:
>> support-dc7.rice.edu. 3600 IN A 10.136.93.4
>> support-dc6.rice.edu. 3600 IN A 128.42.18.16
>> support-dc5.rice.edu. 3600 IN A 10.129.92.100
>> support-dc4.rice.edu. 3600 IN A 128.42.18.223
>>
>> ;; Query time: 82 msec
>> ;; SERVER: 128.42.209.32#53(128.42.209.32)
>> ;; WHEN: Tue Nov 25 15:29:48 2008
>> ;; MSG SIZE rcvd: 202
More information about the bind-users
mailing list