rfc1918 ns records coming from internet are queried?
Mark Andrews
Mark_Andrews at isc.org
Wed Nov 26 00:40:31 UTC 2008
In message <492C9703.1010202 at ca.sophos.com>, David Sparks writes:
> Mark Andrews wrote:
> > In message <492C8CDD.2090008 at ca.sophos.com>, David Sparks writes:
> >> Problem: when querying asdf.ad.rice.edu, bind sends queries into my local
> >> network (specifically to 10.129.92.100, which is not a ns) which I find
> >> undesirable.
> >
> > Mark the servers as bogus.
>
> Doesn't that only work on a server by server basis?
No. server 10.0.0.0/8 { bogus yes; };
> rice.edu is just an
> example ... I'm looking for a way to set a policy that named wont query
> rfc1918 nameserver addresses returned from a non-rfc1918 query. Would this b
> e
> a bad policy?
>
> ds
In reality RFC 1918 addresses are no different to any other
addresses. Replace the 10/8 addresses with 213.31/16
addresses and you have the same problem.
The best long term solution is to stop using RFC 1918
addresses. They were not allocated for this sort of use.
> >> Is there any way to disable this behavior? Is it expected that bind queri
> es
> >> rfc1918 nameserver addresses from non-rfc1918 queries? I would've expecte
> d
> >> something along the lines of "error: ... RFC 1918 response from Internet f
> or
> >> ...".
> >>
> >>
> >> $ dig @ns1.rice.edu asdf.ad.rice.edu
> >>
> >> ; <<>> DiG 9.4.1-P1 <<>> @ns1.rice.edu asdf.ad.rice.edu
> >> ; (1 server found)
> >> ;; global options: printcmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52793
> >> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4
> >> ;; WARNING: recursion requested but not available
> >>
> >> ;; QUESTION SECTION:
> >> ;asdf.ad.rice.edu. IN A
> >>
> >> ;; AUTHORITY SECTION:
> >> ad.rice.edu. 3600 IN NS support-dc7.rice.edu.
> >> ad.rice.edu. 3600 IN NS support-dc6.rice.edu.
> >> ad.rice.edu. 3600 IN NS support-dc5.rice.edu.
> >> ad.rice.edu. 3600 IN NS support-dc4.rice.edu.
> >>
> >> ;; ADDITIONAL SECTION:
> >> support-dc7.rice.edu. 3600 IN A 10.136.93.4
> >> support-dc6.rice.edu. 3600 IN A 128.42.18.16
> >> support-dc5.rice.edu. 3600 IN A 10.129.92.100
> >> support-dc4.rice.edu. 3600 IN A 128.42.18.223
> >>
> >> ;; Query time: 82 msec
> >> ;; SERVER: 128.42.209.32#53(128.42.209.32)
> >> ;; WHEN: Tue Nov 25 15:29:48 2008
> >> ;; MSG SIZE rcvd: 202
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list