blocking resolving for 10.X.X.X addresses
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Fri Oct 25 22:24:08 UTC 2002
> >>>>> "Steve" == Steve Foster <fosters at uk.psi.com> writes:
>
> Steve> we have found customers trying to resolv 10.X.X.X addresses
> Steve> ( or any other private addresses), i want to block these so
> Steve> they just get a "refused" or hostname etc.. not found...
>
> Configure your name server to be authoritative for the reverse zones
> for these private address ranges. And leave the zones empty, ideally
> with a very large TTL for negative caching.
>
Also apply source address filters if you don't all ready
have them on the customer facing routers. If they are
leaking queries for RFC 1918 reverse lookups what else are
they leaking. Preferably those filters should only allow
out traffic from the address ranges they are assigned though
if they are multi-homed there may be other addresses.
This not only stops leaked traffic. It also stops forged
traffic.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list