Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

NIOS DNS DHCP IPAM

Reply

How can we prevent reverse DNS queries against RFC 1918 "private" IP addresses?

Guru
Posts: 58
6995     0

Hi;

 

Let's say an internal server needs to do a reverse lookup query against the IP address 192.168.1.2. Does the Infoblox recursive lookup server prevent the iterative lookup of the IP address 192.168.1.2 through the root DNS server?

 

I believe this is part of Bind, but though I would check.

 

 

 

Kindly

Wasfi

Re: How can we prevent reverse DNS queries against RFC 1918 "private" IP addresses?

[ Edited ]
Authority
Posts: 15
6996     0

A DNS server would only prevent the query from going further if there is an authoritative reverse zone for that address space (in your example it would be 168.192.in-addr.arpa.).  RFC-6303 lists the authoritative reverse zones that should exist on a server to prevent leakage of queries to the Internet for network spaces that should not be present there:

 

https://tools.ietf.org/html/rfc6303

 

Here are the reverses listed in the RFC by their type:

 

RFC-1918 Private Addresses

                         +----------------------+
                         | Zone                 |
                         +----------------------+
                         | 10.IN-ADDR.ARPA      |
                         | 16.172.IN-ADDR.ARPA  |
                         | 17.172.IN-ADDR.ARPA  |
                         | 18.172.IN-ADDR.ARPA  |
                         | 19.172.IN-ADDR.ARPA  |
                         | 20.172.IN-ADDR.ARPA  |
                         | 21.172.IN-ADDR.ARPA  |
                         | 22.172.IN-ADDR.ARPA  |
                         | 23.172.IN-ADDR.ARPA  |
                         | 24.172.IN-ADDR.ARPA  |
                         | 25.172.IN-ADDR.ARPA  |
                         | 26.172.IN-ADDR.ARPA  |
                         | 27.172.IN-ADDR.ARPA  |
                         | 28.172.IN-ADDR.ARPA  |
                         | 29.172.IN-ADDR.ARPA  |
                         | 30.172.IN-ADDR.ARPA  |
                         | 31.172.IN-ADDR.ARPA  |
                         | 168.192.IN-ADDR.ARPA |
                         +----------------------+

 RFC-5735 and RFC-5737 Zones

         +------------------------------+-----------------------+
         | Zone                         | Description           |
         +------------------------------+-----------------------+
         | 0.IN-ADDR.ARPA               | IPv4 "THIS" NETWORK   |
         | 127.IN-ADDR.ARPA             | IPv4 Loopback NETWORK |
         | 254.169.IN-ADDR.ARPA         | IPv4 LINK LOCAL       |
         | 2.0.192.IN-ADDR.ARPA         | IPv4 TEST-NET-1       |
         | 100.51.198.IN-ADDR.ARPA      | IPv4 TEST-NET-2       |
         | 113.0.203.IN-ADDR.ARPA       | IPv4 TEST-NET-3       |
         | 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST        |
         +------------------------------+-----------------------+

Local IPv6 Unicast Addresses

               +-------------------------------------------+
               | Zone                                      |
               +-------------------------------------------+
               | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ |
               |     0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA      |
               | 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ |
               |     0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA      |
               +-------------------------------------------+

IPv6 Locally-Assigned Local Addresses

                             +--------------+
                             | Zone         |
                             +--------------+
                             | D.F.IP6.ARPA |
                             +--------------+

IPv6 Link-Local Addresses

                            +----------------+
                            | Zone           |
                            +----------------+
                            | 8.E.F.IP6.ARPA |
                            | 9.E.F.IP6.ARPA |
                            | A.E.F.IP6.ARPA |
                            | B.E.F.IP6.ARPA |
                            +----------------+

IPv6 Example Prefix

                       +--------------------------+
                       | Zone                     |
                       +--------------------------+
                       | 8.B.D.0.1.0.0.2.IP6.ARPA |
                       +--------------------------+

 

Re: How can we prevent reverse DNS queries against RFC 1918 "private" IP addresses?

Guru
Posts: 58
6996     0

Thank you RossG.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You