RFC1918/prisoner.iana.org address lookup



  • Is there any way to configure DNS to block or return nxdomain for reverse lookups of RFC1918 addresses?  Currently reverse lookups for inside addresses leak out to the internet and get an nxdomain from prisoner.iana.org.


  • Rebel Alliance Global Moderator

    So you want to return NX for all the privates, even the ones your not running locally.

    So I see what you mean if I do a query for 10.10.10.10 ptr with a trace, I see asking the roots, etc.

    dig -x 10.10.10.10 +trace

    in-addr.arpa.           172800  IN      NS      a.in-addr-servers.arpa.
    in-addr.arpa.           172800  IN      NS      b.in-addr-servers.arpa.
    in-addr.arpa.           172800  IN      NS      c.in-addr-servers.arpa.
    in-addr.arpa.           172800  IN      NS      d.in-addr-servers.arpa.
    in-addr.arpa.           172800  IN      NS      e.in-addr-servers.arpa.
    in-addr.arpa.           172800  IN      NS      f.in-addr-servers.arpa.
    ;; Received 418 bytes from 2001:7fd::1#53(2001:7fd::1) in 4836 ms

    10.in-addr.arpa.        86400   IN      NS      blackhole-1.iana.org.
    10.in-addr.arpa.        86400   IN      NS      blackhole-2.iana.org.
    ;; Received 102 bytes from 193.0.9.1#53(193.0.9.1) in 477 ms

    10.in-addr.arpa.        300     IN      SOA     prisoner.iana.org. hostmaster.root-servers.org. 2002040800 1800
    ;; Received 119 bytes from 192.175.48.6#53(192.175.48.6) in 35 ms

    But why would boxes on your network be generating queries for private IPs that your not using locally?

    Just setup ptr zones for your networks and you should be fine - but sure if your worried about them being forwarded, just create zones for those locally and return whatever you want for them.

    But you know for example unbound does this by default..  Unless you over ride it… My trace is bad example because its a TRACE..  if you just do a normal query for a private ip you do not use

    <<>> DiG 9.8.1 <<>> -x 172.17.1.1
    ; global options: +cmd
    ; Got answer:
    ; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55990
    ; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ; QUESTION SECTION:
    1.1.17.172.in-addr.arpa.      IN      PTR

    ; AUTHORITY SECTION:
    7.172.in-addr.arpa.    10800  IN      SOA    localhost. nobody.invalid. 1 3600 1200 604800 10800

    ; Query time: 2 msec
    ; SERVER: 192.168.1.253#53(192.168.1.253)
    ; WHEN: Sun Nov 13 11:12:14 2011
    ; MSG SIZE  rcvd: 100

    ; <<>> DiG 9.8.1 <<>> -x 10.17.1.1
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48387
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;1.1.17.10.in-addr.arpa.                IN      PTR

    ;; AUTHORITY SECTION:
    10.in-addr.arpa.        10800  IN      SOA    localhost. nobody.invalid. 1 3600 1200 604800 10800

    ;; Query time: 3 msec
    ;; SERVER: 192.168.1.253#53(192.168.1.253)
    ;; WHEN: Sun Nov 13 11:13:38 2011
    ;; MSG SIZE  rcvd: 99

    ; <<>> DiG 9.8.1 <<>> -x 169.254.1.23
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51974
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;23.1.254.169.in-addr.arpa.    IN      PTR

    ;; AUTHORITY SECTION:
    254.169.in-addr.arpa.  10800  IN      SOA    localhost. nobody.invalid. 1 3600 1200 604800 10800

    ;; Query time: 2 msec
    ;; SERVER: 192.168.1.253#53(192.168.1.253)
    ;; WHEN: Sun Nov 13 11:13:51 2011
    ;; MSG SIZE  rcvd: 102

    etc.... etc.. etc....



  • I would potentially have reverse lookups generated for a local machine that does not have an A record or DHCP lease in my router (e.g. if I SSH from a statically assigned machine and haven't created a forward record for it) and these requests would make it out to the internet.  Best practice for DNS is to keep those from reaching prisoner.

    I apologize for my ignorance, but I don't follow the comment re: unbound.  If I do a dig against my firewall, it gives a prisoner.iana.org response.  I believe that pfSense uses dnsmasq by default, is there a (supported) means to use unbound or otherwise create the zones for 10.inaddr.arpa, 172.16.inaddr.arpa, etc. in an authoritative fashin using dnsmasq?

    Thanks,
    Shawn



  • For the DNS forwarder (dnsmasq), you can just add "bogus-priv" to the Advanced box. "Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192.168.x.x, etc) which are not found in /etc/hosts or the DHCP leases file are answered with "no such domain" rather than being forwarded upstream."


  • Rebel Alliance Global Moderator

    my bad, with unbound being available I sometimes forget that not everyone runs it.. for the life of me I don't know why ;)  But I guess not everyone likes to run a fully configurable dns resolver ;) heheh

    I do believe sometime down the road unbound will be integrated – but until then yup you can do what cmb suggests.  I would think that prob be the default config?

    Or you can install the unbound package ;)


Locked