---Reply to mail from James Smith about read-rfc1918-for-details.iana.net
> OK you got me, I wrote the original one, and I run an NT network with
> Service Pack 4.
>
> I have NO internal DNS - is that so strange for a small company with 50
> machines?
>
> So my DNS is not leaking. I believe quite a few commercial packages -
> WinGate for one recommend you use 192.168.x.x. one 2 to 8+ machines with
> [obviously] no internal DNS.
>
> Shouldn't NT query WINS first for a reverse lookup? That would solve a lot
> of problems wouldn't it? For us and IANA!
>
doesnt WINS try a DNS querry if the WINS (port 137 udp) fails?? That is
what it does on my boxes (and it tries WINS first even if I selected
'disable WINS resolution' but hey)..
>>From RFC 1918:
> [Indirect references to such addresses should be contained within
> the enterprise. Prominent examples of such references are DNS Resource
> Records and other information referring to internal private addresses. In
> particular, Internet service providers should take measures to prevent such
> leakage. ]
>
> HOW? By stopping all reverse DNS lookups? Not practical is it?
>
> So rfc1918 should require you to have a DNS server? This makes it a lot more
> difficult for small companies to implement 1918 addresses, couldn't DNS
> servers just 'ignore' these. If I set up a machine with no DNS entries in
> TCP/IP and a fixed [1918] address ping -a resolves names just fine, from
> WINS I presume.
>
RFC1918 Addresses are not routable back to the small business, so if they
are using it, then they MUST have a proxy server, or some NAT device..
If its a proxy server none of those machines need to do DNS only the proxy
server does, because they simply refer the url, hostname and all off to
the proxy server (in all the implementations I have seen)..
If its a NAT box, then they may not have a DNS server, nor need for one,
but that makes me question the design of the network in the first place if
stuff is breaking (ie why are they relying on external data which is
causing stuff to break)..
In either case, either the use of LMHOSTS /etc/hosts or not having lookups
fails (ie keeping current upto date lists of ip/hosts) should prevent
thost small companies from having to have a DNS server.. I cant think of
a system right now that doesnt have the ability to turn off network
lookups, and I dont know of a system where you MUST enter a dns server, if
it doesnt have one entered, it will fail on lookups, if the lookups were
going out over the inet then they would fail (or get iana.net names)
anyway, so this wont affect anything in this way.
There may be an instance where you need to resolve inet addrs, and you use
RFC1918 addrs, and you cant define the RFC1918 addrs locally, but those
should be the exception rather than the rule..
> I guess it would do the same if it received no response from DNS (like it
> always did?).
>
> Or would the best fix for all be:
>
> TCP/IP (in MS NT Environment at least) should be patched to
> query WINS first, if available, then,
> IF no response is received from WINS
> IF and only if the address in NOT rfc1918
> query DNS,
> (could it query the responder of a ping? I.e. the addressee?, the host?)
> ELSE trash the query
>
> That is all, Thanks
>
Hmmm.. As stated earlier my windows boxes do querry WINS first (even if
disabled, if disabled the first querry is WINS if that fails the future
ones are DNS only until I reboot, if enabled it does WINS first always)..
If it were to querry the person sending the packet, that is opening a
whole new set of security problems, as well as potential administrative
problems..
--
Bret McDanel http://www.rehost.com
Realistic Technologies, Inc. 973-514-1144
These opinions are mine, and may not be the same as my employer
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
