Re: [Full-Disclosure] Re: rfc1918 space dns requests
To: martin f krafft <firstname.lastname@example.org> Date: Tue, 16 Mar 2004 16:15:27 -0500
On Tue, 16 Mar 2004 20:44:56 +0100, martin f krafft <email@example.com> said:
> also sprach Valdis.Kletnieks@vt.edu <Valdis.Kletnieks@vt.edu> [2004.03.16.1=
> 812 +0100]:
> > 2) We've got applications making DNS requests that get forwarded
> > out to the ISP's servers, where they will almost certainly result
> > in either an error reply or a timeout Find ways to use this to
> > your advantage.
> I would be interested in how you do that.
The obvious is that the usual DNS spoofing hacks often only have a
few milliseconds for you to stick in a bogus packet before the real DNS
answers - here you have entire seconds to play with.
> For ease of maintenance, I have my primary DNS respond with RFC 1918
> addresses for my internal machines. That is, my internal machines
> are resolved by a primary DNS server out there on the 'Net, e.g.
> sky.madduck.net. I fail to see how this can be a security problem.
I know you well enough to know that you almost certainly Got It Right.
> I agree that RFC 1918 slipping out by accident could be an
> indication of problems in the network, drawing hackers attention
> rightfully so.
For every one of you, there's probably hundreds of these Getting It Wrong.
Bet there's a bunch over at the Dept of the Interior. :)
Full-Disclosure - We believe in it.
- application/pgp-signature attachment: stored