- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
How can we prevent reverse DNS queries against RFC 1918 "private" IP addresses?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2019 06:54 PM
Hi;
Let's say an internal server needs to do a reverse lookup query against the IP address 192.168.1.2. Does the Infoblox recursive lookup server prevent the iterative lookup of the IP address 192.168.1.2 through the root DNS server?
I believe this is part of Bind, but though I would check.
Kindly
Wasfi
Solved! Go to Solution.
Re: How can we prevent reverse DNS queries against RFC 1918 "private" IP addresses?
[ Edited ]- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2019 10:31 AM - edited 07-19-2019 05:59 AM
A DNS server would only prevent the query from going further if there is an authoritative reverse zone for that address space (in your example it would be 168.192.in-addr.arpa.). RFC-6303 lists the authoritative reverse zones that should exist on a server to prevent leakage of queries to the Internet for network spaces that should not be present there:
https://tools.ietf.org/html/rfc6303
Here are the reverses listed in the RFC by their type:
RFC-1918 Private Addresses
+----------------------+ | Zone | +----------------------+ | 10.IN-ADDR.ARPA | | 16.172.IN-ADDR.ARPA | | 17.172.IN-ADDR.ARPA | | 18.172.IN-ADDR.ARPA | | 19.172.IN-ADDR.ARPA | | 20.172.IN-ADDR.ARPA | | 21.172.IN-ADDR.ARPA | | 22.172.IN-ADDR.ARPA | | 23.172.IN-ADDR.ARPA | | 24.172.IN-ADDR.ARPA | | 25.172.IN-ADDR.ARPA | | 26.172.IN-ADDR.ARPA | | 27.172.IN-ADDR.ARPA | | 28.172.IN-ADDR.ARPA | | 29.172.IN-ADDR.ARPA | | 30.172.IN-ADDR.ARPA | | 31.172.IN-ADDR.ARPA | | 168.192.IN-ADDR.ARPA | +----------------------+
RFC-5735 and RFC-5737 Zones
+------------------------------+-----------------------+ | Zone | Description | +------------------------------+-----------------------+ | 0.IN-ADDR.ARPA | IPv4 "THIS" NETWORK | | 127.IN-ADDR.ARPA | IPv4 Loopback NETWORK | | 254.169.IN-ADDR.ARPA | IPv4 LINK LOCAL | | 2.0.192.IN-ADDR.ARPA | IPv4 TEST-NET-1 | | 100.51.198.IN-ADDR.ARPA | IPv4 TEST-NET-2 | | 113.0.203.IN-ADDR.ARPA | IPv4 TEST-NET-3 | | 255.255.255.255.IN-ADDR.ARPA | IPv4 BROADCAST | +------------------------------+-----------------------+
Local IPv6 Unicast Addresses
+-------------------------------------------+ | Zone | +-------------------------------------------+ | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ | | 0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA | | 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ | | 0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA | +-------------------------------------------+
IPv6 Locally-Assigned Local Addresses
+--------------+ | Zone | +--------------+ | D.F.IP6.ARPA | +--------------+
IPv6 Link-Local Addresses
+----------------+ | Zone | +----------------+ | 8.E.F.IP6.ARPA | | 9.E.F.IP6.ARPA | | A.E.F.IP6.ARPA | | B.E.F.IP6.ARPA | +----------------+
IPv6 Example Prefix
+--------------------------+ | Zone | +--------------------------+ | 8.B.D.0.1.0.0.2.IP6.ARPA | +--------------------------+
Re: How can we prevent reverse DNS queries against RFC 1918 "private" IP addresses?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2019 07:08 AM
Thank you RossG.