Re: DNS/Routing advice

[Petri Helenius <pete () he iki fi>]

> Dan Lockwood wrote:
>
> Everyone,
>
> I have a customer that is multihomed, to a public ISP and to another large network that uses 10.0.0.0 address space.  
> The private address space also has services available via public address space and consequently is running a split 
> DNS service, public and private.  Because of firewalls and the placement of DNS servers this customer has a nasty 
> routing situation and in order to make DNS work for the private numbers, has spoofed the domain of the private 
> network.  My question is this: are there any documents or RFCs that outline what is an acceptable practice for 
> running DNS and what is not?  Their kluge of a network causes continuous problems for both the upstream ISP and the 
> private network to which they are connecting and we may find ourselves in a situation where we have to say that 'xyz' 
> is an acceptable way of operating and 'abc' is not.  Any advice is appreciated.  Thanks!
As you have probably realized, shooting yourself in the foot does hurt. 
Unfortunately not all textbooks warn about it but recommend doing large
implementations of 1918 space.

I would change the services to be dual-addressed, with both public and 
private addresses, it should fix most issues that bother users with
real addresses. The ones on 10/8 addresses are supposed to experience
degraded accessibility, so it's a feature there.

In any case, the policy is that you're not supposed to leak anything
on the headers nor the payload that contains 1918 addresses. In practice
it does not work that way. (unfortunately)

Pete