On Fri, Feb 16, 2007 at 07:18:35PM +0000, Paul Vixie wrote:
> there is an rfc1918 address for this nameserver. there's no way for me to
> be sure that it's the same 10.20.2.102 that i would reach if i tried, yet
> there's no way to be sure that it's not the same, either. granted that the
> best thing is if the address would not be published outside the connectivity
> realm where that address works, what should i as the recipient do if it's
> published by mistake? (and what of 127/8, 0/8, 169.254/16, et al?)
The PowerDNS recursor has recently gained support for the "dont-query"
setting:
The DNS is a public database, but sometimes contains delegations to private
IP addresses, like for example 127.0.0.1. This can have odd effects,
depending on your network, and may even be a security risk. Therefore, since
version 3.1.5, the PowerDNS recursor by default does not query private space
IP addresses. This setting can be used to expand or reduce the limitations.
It defaults to blocking RFC1918 addresses.
arg().set("dont-query", "If set, do not query these netmasks for DNS
data")="127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128,
fe80::/10";
This has solved several odd situations with misconfigured domains listing
10.0.0.1 and 127.0.0.1 as some of their nameservers.
People tell us they perceive our dont-query flag to be an improvement.
Dont-query is part of 3.1.5, which is not yet released, but snapshots are in
use at various very large places.
Bert
--
http://www.PowerDNS.com Open source, database driven DNS Software
http://netherlabs.nl Open and Closed source services
_______________________________________________
DNSOP mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dnsop
