Re: Re: rfc1918 space dns requests

[Valdis.Kletnieks () vt edu]

On Tue, 16 Mar 2004 20:44:56 +0100, martin f krafft <madduck () madduck net>  said:

> also sprach Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> [2004.03.16.1=
> 812 +0100]:
> > 2) We've got applications making DNS requests that get forwarded
> > out to the ISP's servers, where they will almost certainly result
> > in either an error reply or a timeout  Find ways to use this to
> > your advantage.
>
> I would be interested in how you do that.

The obvious is that the usual DNS spoofing hacks often only have a
few milliseconds for you to stick in a bogus packet before the real DNS
answers - here you have entire seconds to play with.

> For ease of maintenance, I have my primary DNS respond with RFC 1918
> addresses for my internal machines. That is, my internal machines
> are resolved by a primary DNS server out there on the 'Net, e.g.
> sky.madduck.net. I fail to see how this can be a security problem.

I know you well enough to know that you almost certainly Got It Right.

> I agree that RFC 1918 slipping out by accident could be an
> indication of problems in the network, drawing hackers attention
> rightfully so.

For every one of you, there's probably hundreds of these Getting It Wrong.

Bet there's a bunch over at the Dept of the Interior. :)

Attachment: _bin
Description: