THE GAME HAS CHANGED

Introducing Infoblox Universal DDI ManagementTM

Watch the launch to discover the new era of management for critical network services. Watch Now

NIOS DNS DHCP IPAM

Reply

How can we prevent reverse DNS queries against RFC 1918 "private" IP addresses?
WBounni
Guru
Posts: 58

‎06-18-2019 06:54 PM

8177     0

Hi;

 

Let's say an internal server needs to do a reverse lookup query against the IP address 192.168.1.2. Does the Infoblox recursive lookup server prevent the iterative lookup of the IP address 192.168.1.2 through the root DNS server?

 

I believe this is part of Bind, but though I would check.

 

 

 

Kindly

Wasfi

Labels:
Reply
0 Kudos

Re: How can we prevent reverse DNS queries against RFC 1918 "private" IP addresses?

[ Edited ]
RossGibson
Authority
Posts: 24

‎07-16-2019 10:31 AM - edited ‎07-19-2019 05:59 AM

8178     0

A DNS server would only prevent the query from going further if there is an authoritative reverse zone for that address space (in your example it would be 168.192.in-addr.arpa.).  RFC-6303 lists the authoritative reverse zones that should exist on a server to prevent leakage of queries to the Internet for network spaces that should not be present there:

 

https://tools.ietf.org/html/rfc6303

 

Here are the reverses listed in the RFC by their type:

 

RFC-1918 Private Addresses

                         +----------------------+
                         | Zone                 |
                         +----------------------+
                         | 10.IN-ADDR.ARPA      |
                         | 16.172.IN-ADDR.ARPA  |
                         | 17.172.IN-ADDR.ARPA  |
                         | 18.172.IN-ADDR.ARPA  |
                         | 19.172.IN-ADDR.ARPA  |
                         | 20.172.IN-ADDR.ARPA  |
                         | 21.172.IN-ADDR.ARPA  |
                         | 22.172.IN-ADDR.ARPA  |
                         | 23.172.IN-ADDR.ARPA  |
                         | 24.172.IN-ADDR.ARPA  |
                         | 25.172.IN-ADDR.ARPA  |
                         | 26.172.IN-ADDR.ARPA  |
                         | 27.172.IN-ADDR.ARPA  |
                         | 28.172.IN-ADDR.ARPA  |
                         | 29.172.IN-ADDR.ARPA  |
                         | 30.172.IN-ADDR.ARPA  |
                         | 31.172.IN-ADDR.ARPA  |
                         | 168.192.IN-ADDR.ARPA |
                         +----------------------+

 RFC-5735 and RFC-5737 Zones

         +------------------------------+-----------------------+
         | Zone                         | Description           |
         +------------------------------+-----------------------+
         | 0.IN-ADDR.ARPA               | IPv4 "THIS" NETWORK   |
         | 127.IN-ADDR.ARPA             | IPv4 Loopback NETWORK |
         | 254.169.IN-ADDR.ARPA         | IPv4 LINK LOCAL       |
         | 2.0.192.IN-ADDR.ARPA         | IPv4 TEST-NET-1       |
         | 100.51.198.IN-ADDR.ARPA      | IPv4 TEST-NET-2       |
         | 113.0.203.IN-ADDR.ARPA       | IPv4 TEST-NET-3       |
         | 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST        |
         +------------------------------+-----------------------+

Local IPv6 Unicast Addresses

               +-------------------------------------------+
               | Zone                                      |
               +-------------------------------------------+
               | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ |
               |     0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA      |
               | 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ |
               |     0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA      |
               +-------------------------------------------+

IPv6 Locally-Assigned Local Addresses

                             +--------------+
                             | Zone         |
                             +--------------+
                             | D.F.IP6.ARPA |
                             +--------------+

IPv6 Link-Local Addresses

                            +----------------+
                            | Zone           |
                            +----------------+
                            | 8.E.F.IP6.ARPA |
                            | 9.E.F.IP6.ARPA |
                            | A.E.F.IP6.ARPA |
                            | B.E.F.IP6.ARPA |
                            +----------------+

IPv6 Example Prefix

                       +--------------------------+
                       | Zone                     |
                       +--------------------------+
                       | 8.B.D.0.1.0.0.2.IP6.ARPA |
                       +--------------------------+

 

Reply

Re: How can we prevent reverse DNS queries against RFC 1918 "private" IP addresses?
WBounni
Guru
Posts: 58

‎07-18-2019 07:08 AM

8178     0

Thank you RossG.

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements