[92388] in North American Network Operators' Group
Re: Why is RFC1918 space in public DNS evil?
daemon@ATHENA.MIT.EDU (Fred Baker)
Mon Sep 18 09:12:39 2006
In-Reply-To: <450E91E6.1020300@ttec.com>
Cc: nanog list <nanog@merit.edu>
From: Fred Baker <fred@cisco.com>
Date: Mon, 18 Sep 2006 06:04:55 -0700
To: Matthew Palmer <mpalmer@hezmatt.org>
Errors-To: owner-nanog@merit.edu
> I know the common wisdom is that putting 192.168 addresses in a
> public zonefile is right up there with kicking babies who have just
> had their candy stolen, but I'm really struggling to come up with
> anything more authoritative than "just because, now eat your
> brussel sprouts".
I think the best answer to that is to turn it on its head.
As Joe points out, exposing interior information unnecessarily is a
security risk - leaving a treasure map with "X marks the spot"
invites pirates of all sorts. In this case, it is not only exposing
interior information (the.host.you.want.to.attack.example.com)
unnecessarily, but also in a way that doesn't actually help anyone
else. The address of my telephone is 10.32.244.220. But do a
traceroute to that address (ar the address of my family computer,
which is 192.168.1.20), and I about guarantee that you will come to a
different computer, for the simple reason that you aren't in any of
my private domains.
So putting those addresses in the public DNS actually *only* helps me
if I am someone who is bombarding your prophylactic defenses with
messages intended to reach your chewy innards. Anyone else has no
actual use for the internal addresses.
I think the right question for your client is: "why exactly did you
want to do that?"
