RFC 1918 forbade the publishing of private addresses outside of the enterprise:
"Indirect references to [private] addresses should be contained within the
enterprise. Prominent examples of such references are DNS Resource
Records and other information referring to internal private
addresses. In particular, Internet service providers should take
measures to prevent such leakage."
Having said that, however, BIND doesn't prevent you publishing such addresses
to the Internet, since it doesn't really know -- *cannot* know, in advance --
whether the data is going to be queried from the Internet or not.
I'm not aware of ISPs that filter customer DNS traffic for RFC 1918 addresses
either.
As Greg pointed out, the addresses aren't going to be routable anyway, but even
in the absence of routability, there are Information Security concerns: if
someone -- let's call them a business partner -- trusts your DNS *domain*, and
you publish private addresses associated with names in that domain, then a
malicious actor could potentially exploit that trust to gain access to the
business partner's resources, e.g. trick their browser into connecting to an
internal resource on their network, that happens to have the same private
address as what you published. Business partner trusts example.com (your
domain), nat.example.com resolves to 10.1.1.1, malicious actor redirects a
website reference to nat.example.com (which you trust) and this gives them
unintentional, unauthorized access to 10.1.1.1 on business partner's network.
The basic Information Security problem with private addresses is that they are
*non-unique*. This introduces ambiguity, and ambiguity produces surprises and
can be exploited. Best to keep everything to do with private addresses and
private namespaces within your own organization (and yes, I understand the
general trend towards "eliminating the perimeter", but this needs to be done in
a methodical, careful way).
- Kevin
-----Original Message-----
From: bind-users <[email protected]> On Behalf Of Greg Rivers
Sent: Friday, July 27, 2018 12:07 PM
To: Elias Pereira <[email protected]>
Cc: [email protected]
Subject: Re: Authoritative dns with private IP for hostname
On Friday, July 27, 2018 12:59:42 Elias Pereira wrote:
> Can an authoritative dns for a domain, eg mydomain.tdl, have a
> hostname, example, wordpress.mydomain.tdl with a private IP?
>
Yes, but that won't be useful outside of your LAN.
> Would this be accessible from the internet via hostname, if I did a
> nat on the firewall?
>
No, by definition, private addresses are not routable on the Internet.
--
Greg Rivers
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
