Re: rfc1918 space dns requests

[martin f krafft <madduck () madduck net>]

also sprach Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> [2004.03.16.1812 +0100]:
> 2) We've got applications making DNS requests that get forwarded
> out to the ISP's servers, where they will almost certainly result
> in either an error reply or a timeout  Find ways to use this to
> your advantage.

I would be interested in how you do that.

> 3) Despite the slowness and/or brokenness of (2), the site admins
> haven't fixed the misconfiguration.  This means they are some
> combination of clueless and/or lazy, and this is
> a tolerated/accepted state of affairs.  Find ways to use this to
> your advantage. ;)

For ease of maintenance, I have my primary DNS respond with RFC 1918
addresses for my internal machines. That is, my internal machines
are resolved by a primary DNS server out there on the 'Net, e.g.
sky.madduck.net. I fail to see how this can be a security problem.
I am disclosing information, but so it be. If you ask nicely, I'll
give you my net topology and firewall ruleset on a platter and you
still won't hack me.

I agree that RFC 1918 slipping out by accident could be an
indication of problems in the network, drawing hackers attention
rightfully so. However, publishing RFC 1918 addresses of the
internal network via DNS is not a security problem per se.

Then again, I would be happy to be proven wrong.

-- 
martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
"in any hierarchy, each individual rises
 to his own level of incompetence,
 and then remains there."
                               -- murphy (after dr. laurence j. peter)

Attachment: signature.asc
Description: Digital signature