rfc1918 ns records coming from internet are queried?

Mark Andrews Mark_Andrews at isc.org
Wed Nov 26 00:40:31 UTC 2008 

In message <492C9703.1010202 at ca.sophos.com>, David Sparks writes:
> Mark Andrews wrote:
> > In message <492C8CDD.2090008 at ca.sophos.com>, David Sparks writes:
> >> Problem: when querying asdf.ad.rice.edu, bind sends queries into my local
> >> network (specifically to 10.129.92.100, which is not a ns) which I find
> >> undesirable.
> > 
> >         Mark the servers as bogus.
> 
> Doesn't that only work on a server by server basis?

	No.  server 10.0.0.0/8 { bogus yes; };

> rice.edu is just an
> example ... I'm looking for a way to set a policy that named wont query
> rfc1918 nameserver addresses returned from a non-rfc1918 query.  Would this b
> e
> a bad policy?
> 
> ds

	In reality RFC 1918 addresses are no different to any other
	addresses.  Replace the 10/8 addresses with 213.31/16
	addresses and you have the same problem.

	The best long term solution is to stop using RFC 1918
	addresses.  They were not allocated for this sort of use.

> >> Is there any way to disable this behavior?  Is it expected that bind queri
> es
> >> rfc1918 nameserver addresses from non-rfc1918 queries?  I would've expecte
> d
> >> something along the lines of "error: ... RFC 1918 response from Internet f
> or
> >> ...".
> >>
> >>
> >> $ dig @ns1.rice.edu asdf.ad.rice.edu
> >>
> >> ; <<>> DiG 9.4.1-P1 <<>> @ns1.rice.edu asdf.ad.rice.edu
> >> ; (1 server found)
> >> ;; global options:  printcmd
> >> ;; Got answer:
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52793
> >> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 4
> >> ;; WARNING: recursion requested but not available
> >>
> >> ;; QUESTION SECTION:
> >> ;asdf.ad.rice.edu.              IN      A
> >>
> >> ;; AUTHORITY SECTION:
> >> ad.rice.edu.            3600    IN      NS      support-dc7.rice.edu.
> >> ad.rice.edu.            3600    IN      NS      support-dc6.rice.edu.
> >> ad.rice.edu.            3600    IN      NS      support-dc5.rice.edu.
> >> ad.rice.edu.            3600    IN      NS      support-dc4.rice.edu.
> >>
> >> ;; ADDITIONAL SECTION:
> >> support-dc7.rice.edu.   3600    IN      A       10.136.93.4
> >> support-dc6.rice.edu.   3600    IN      A       128.42.18.16
> >> support-dc5.rice.edu.   3600    IN      A       10.129.92.100
> >> support-dc4.rice.edu.   3600    IN      A       128.42.18.223
> >>
> >> ;; Query time: 82 msec
> >> ;; SERVER: 128.42.209.32#53(128.42.209.32)
> >> ;; WHEN: Tue Nov 25 15:29:48 2008
> >> ;; MSG SIZE  rcvd: 202
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list