Reply

How can we prevent reverse DNS queries against RFC 1918 "private" IP addresses?

Guru
Posts: 58
8177     0

Hi;

 

Let's say an internal server needs to do a reverse lookup query against the IP address 192.168.1.2. Does the Infoblox recursive lookup server prevent the iterative lookup of the IP address 192.168.1.2 through the root DNS server?

 

I believe this is part of Bind, but though I would check.

 

 

 

Kindly

Wasfi

Re: How can we prevent reverse DNS queries against RFC 1918 "private" IP addresses?

[ Edited ]
Authority
Posts: 24
8178     0

A DNS server would only prevent the query from going further if there is an authoritative reverse zone for that address space (in your example it would be 168.192.in-addr.arpa.).  RFC-6303 lists the authoritative reverse zones that should exist on a server to prevent leakage of queries to the Internet for network spaces that should not be present there:

 

https://tools.ietf.org/html/rfc6303

 

Here are the reverses listed in the RFC by their type:

 

RFC-1918 Private Addresses

                         +----------------------+
                         | Zone                 |
                         +----------------------+
                         | 10.IN-ADDR.ARPA      |
                         | 16.172.IN-ADDR.ARPA  |
                         | 17.172.IN-ADDR.ARPA  |
                         | 18.172.IN-ADDR.ARPA  |
                         | 19.172.IN-ADDR.ARPA  |
                         | 20.172.IN-ADDR.ARPA  |
                         | 21.172.IN-ADDR.ARPA  |
                         | 22.172.IN-ADDR.ARPA  |
                         | 23.172.IN-ADDR.ARPA  |
                         | 24.172.IN-ADDR.ARPA  |
                         | 25.172.IN-ADDR.ARPA  |
                         | 26.172.IN-ADDR.ARPA  |
                         | 27.172.IN-ADDR.ARPA  |
                         | 28.172.IN-ADDR.ARPA  |
                         | 29.172.IN-ADDR.ARPA  |
                         | 30.172.IN-ADDR.ARPA  |
                         | 31.172.IN-ADDR.ARPA  |
                         | 168.192.IN-ADDR.ARPA |
                         +----------------------+

 RFC-5735 and RFC-5737 Zones

         +------------------------------+-----------------------+
         | Zone                         | Description           |
         +------------------------------+-----------------------+
         | 0.IN-ADDR.ARPA               | IPv4 "THIS" NETWORK   |
         | 127.IN-ADDR.ARPA             | IPv4 Loopback NETWORK |
         | 254.169.IN-ADDR.ARPA         | IPv4 LINK LOCAL       |
         | 2.0.192.IN-ADDR.ARPA         | IPv4 TEST-NET-1       |
         | 100.51.198.IN-ADDR.ARPA      | IPv4 TEST-NET-2       |
         | 113.0.203.IN-ADDR.ARPA       | IPv4 TEST-NET-3       |
         | 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST        |
         +------------------------------+-----------------------+

Local IPv6 Unicast Addresses

               +-------------------------------------------+
               | Zone                                      |
               +-------------------------------------------+
               | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ |
               |     0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA      |
               | 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ |
               |     0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA      |
               +-------------------------------------------+

IPv6 Locally-Assigned Local Addresses

                             +--------------+
                             | Zone         |
                             +--------------+
                             | D.F.IP6.ARPA |
                             +--------------+

IPv6 Link-Local Addresses

                            +----------------+
                            | Zone           |
                            +----------------+
                            | 8.E.F.IP6.ARPA |
                            | 9.E.F.IP6.ARPA |
                            | A.E.F.IP6.ARPA |
                            | B.E.F.IP6.ARPA |
                            +----------------+

IPv6 Example Prefix

                       +--------------------------+
                       | Zone                     |
                       +--------------------------+
                       | 8.B.D.0.1.0.0.2.IP6.ARPA |
                       +--------------------------+

 

Re: How can we prevent reverse DNS queries against RFC 1918 "private" IP addresses?

Guru
Posts: 58
8178     0

Thank you RossG.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You