mailing list archives
Re: Re: rfc1918 space dns requests
From: Valdis.Kletnieks () vt edu
Date: Tue, 16 Mar 2004 16:15:27 -0500
On Tue, 16 Mar 2004 20:44:56 +0100, martin f krafft <madduck () madduck net> said:
also sprach Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> [2004.03.16.1=
2) We've got applications making DNS requests that get forwarded
out to the ISP's servers, where they will almost certainly result
in either an error reply or a timeout Find ways to use this to
I would be interested in how you do that.
The obvious is that the usual DNS spoofing hacks often only have a
few milliseconds for you to stick in a bogus packet before the real DNS
answers - here you have entire seconds to play with.
For ease of maintenance, I have my primary DNS respond with RFC 1918
addresses for my internal machines. That is, my internal machines
are resolved by a primary DNS server out there on the 'Net, e.g.
sky.madduck.net. I fail to see how this can be a security problem.
I know you well enough to know that you almost certainly Got It Right.
I agree that RFC 1918 slipping out by accident could be an
indication of problems in the network, drawing hackers attention
For every one of you, there's probably hundreds of these Getting It Wrong.
Bet there's a bunch over at the Dept of the Interior. :)