mailing list archives
Re: rfc1918 space dns requests
From: martin f krafft <madduck () madduck net>
Date: Tue, 16 Mar 2004 20:44:56 +0100
also sprach Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> [2004.03.16.1812 +0100]:
2) We've got applications making DNS requests that get forwarded
out to the ISP's servers, where they will almost certainly result
in either an error reply or a timeout Find ways to use this to
I would be interested in how you do that.
3) Despite the slowness and/or brokenness of (2), the site admins
haven't fixed the misconfiguration. This means they are some
combination of clueless and/or lazy, and this is
a tolerated/accepted state of affairs. Find ways to use this to
your advantage. ;)
For ease of maintenance, I have my primary DNS respond with RFC 1918
addresses for my internal machines. That is, my internal machines
are resolved by a primary DNS server out there on the 'Net, e.g.
sky.madduck.net. I fail to see how this can be a security problem.
I am disclosing information, but so it be. If you ask nicely, I'll
give you my net topology and firewall ruleset on a platter and you
still won't hack me.
I agree that RFC 1918 slipping out by accident could be an
indication of problems in the network, drawing hackers attention
rightfully so. However, publishing RFC 1918 addresses of the
internal network via DNS is not a security problem per se.
Then again, I would be happy to be proven wrong.
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net () madduck
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
"in any hierarchy, each individual rises
to his own level of incompetence,
and then remains there."
-- murphy (after dr. laurence j. peter)
Description: Digital signature