Brian Dickson <[email protected]> wrote: > > However, there's also another clever trick (for some value of $clever), > which isn't iron-clad but could help: > > guidspace.arpa DNAME empty.as112.arpa
That's worse than leaving it unregistered :-) AS112 is OK for RFC 1918 reverse DNS because in that case the QNAMEs don't contain much information, but that isn't true for the forward DNS. Most of the privacy leak is to the hotspot network's resolvers (and their passive DNS partners); if the domain is registered then the resolver will send QNAMEs to its nameservers; if the domain points at AS112 then almost anyone might receive the QNAME leakage; if the domain is unregistered and the resolver does qmin then there's less leakage. This is really a general issue with split horizon DNS: whoever is assigning or giving advice about local/internal DNS needs to make it clear that the names aren't private and will leak. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Viking: Variable 3 or 4, becoming cyclonic 5 to 7, occasionally gale 8 later. Rough, becoming very rough later. Rain at times. Moderate or good, occasionally poor. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
