DNS and private rfc1918 addresses

Discussion in 'Broadband' started by Chris Davies, Jan 12, 2015.

  1. Chris Davies

    Davern Guest

    I'm sorry that you find RFC1918 annoying.
    Davern, Jan 14, 2015
    1. Advertisements

  2. I doubt we went out of our way. I reckon PowerDNS probably just defaults
    to this behaviour.
    Plusnet Support Team, Jan 15, 2015
    1. Advertisements

  3. Chris Davies

    Chris Davies Guest

    Huh? I don't think anyone's said that RFC1918 is annoying. Routing
    RFC1918 networks is bad (we all agree on that). Blocking DNS queries
    that result in RFC1918 address space is annoying.

    Chris Davies, Jan 15, 2015
  4. Lots of security fun.

    For instance, suppose I know that there's a webserver at MegaBank at a given
    intranet address, let's say

    I set up a DNS record cheezburger.example.com to point to
    I set up another kitteh.example.com that points to my internet-visible

    I send an employee of the bank a mail that says 'free kitteh' and tell them
    to click on:

    kitteh.example.com has some Javascript that:
    Makes a request to cheezburger.example.com to do something (eg request
    customer security details) and writes that in white text on the page
    Reads the text of the page back
    Posts the results back to kitteh.example.com

    At no time has anything other than *.example.com DNS names been used, and
    there's no way for the browser to spot anything amiss.

    I'm sure you can think of better XSS attacks than that, but the main idea is
    having different meanings for an IP address depending on where you are is
    one that conflicts dangerously with a DNS where you think
    name->number->destination mappings are constants.

    Theo Markettos, Jan 15, 2015
  5. Chris Davies

    Chris Davies Guest

    Yep. Exactly.

    I'd rather have a DNS service that worked as I would expect. Then none
    of these workarounds would be required.

    Chris Davies, Jan 15, 2015
  6. Chris Davies

    Chris Davies Guest

    Colleague within the same organisation.
    Chris Davies, Jan 15, 2015
  7. Chris Davies

    Graham J Guest

    Provide a Terminal Server, get the user to VPN into that, login with
    appropriate credentials; then view the intranet page.

    The VPN is not actually necessary, but it does give extra security.

    Did you get anywhere with closing the browser to flush its DNS cache?
    Graham J, Jan 15, 2015
  8. Chris Davies

    Graham J Guest

    The OP has already explained why this does not work.

    The primary problem is that the browser caches the incorrect addresses
    when the user forgets to start the VPN and tries to open the browser on
    the intranet site. The browser uses these cached addresses rather than
    referring to DNS.
    Graham J, Jan 15, 2015
  9. Chris Davies

    Davern Guest

    This discussion seems to have travelled a full circle.

    Your original post asked for a definitive reference which permits a DNS
    proxy run by an ISP to ignore searches that result in an RFC1918 private
    IP address.

    I replied with a quote from RFC1918 itself which states that references
    to private IP addresses should not be propagated outside of their own
    private network, and that ISPs in particular should take steps to
    prevent such leakage. The RFC specifically mentions DNS Resource
    Records as an example of references that should not be disseminated.
    You appeared to accept that.

    Now you are saying that blocking DNS queries which result in a private
    IP address is annoying. Whether or not that is annoying, it is a
    fundamental principle which underlies the use of private IP addresses as
    set out fully in the RFC. If you want your ISP to override that
    principle, perhaps you should first take the matter up with the IETF but
    I am not in a position to help you any more.
    Davern, Jan 16, 2015
  10. Chris Davies

    Chris Davies Guest

    Mmm. Won't this scenario be equally valid were I to substitute an Internet
    routable address for If so, I'm sorry to say that I don't see
    the relevance.

    Also, it would fail disappointingly if the server relied on
    virtual hostnames, which perhaps is a good reason to use them even with
    only the one website running on the server. (Goes off to ponder further.)

    Chris Davies, Jan 16, 2015
  11. Chris Davies

    Roger Guest

    Why not substitute their VPN icon for one that runs a batch file before
    opening the VPN client and get the batch file to run ipconfig/ flushdns.
    Thats all I do myself manually when in this situation. If you keep the
    same icon picture the users probably wont even notice that something has
    Roger, Jan 17, 2015
  12. It will still work, but the point is that global IPs are intended to be
    accessible by anyone, while 10.*.*.* may be behind the firewall and have
    private sites with some assumption of 'protection'. This is a means to
    exfiltrate that data.

    It's not a particularly good example, but I'm sure there are others. The
    underlying flaw is in assuming that private IPs have different security
    properties, and that the firewall alone is a sufficient protection
    I can't remember what the webserver will do if you ask for a site by number
    when there is no default vhost configured, but you could probably set one up
    saying 'go away!' if needs be.

    Theo Markettos, Jan 17, 2015
  13. Chris Davies

    Phil W Lee Guest

    It would be a sod to trace a private address after it (or the dodgy
    DNS record pointing to it) had been deleted.
    Which would fulfil one desire of the miscreant in that it would make
    it very difficult, if not impossible, to catch them - at least by that
    Phil W Lee, Jan 18, 2015
  14. Chris Davies

    Toby Guest

    Could you set your intranet.example.org to route to a public web server
    as far as the Internet's DNS is concerned, and have that web server
    simply send a redirect to
    Toby, Jan 21, 2015
  15. Chris Davies

    Andy Burns Guest

    You could, but I doubt [m]any email clients implement RFC2192 and it
    doesn't seem to have a redirect mechanism ...
    Andy Burns, Jan 22, 2015
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.