At that time, internet devices were rare. The selection uses the match-clients.IPv6: Internet Protocol version 6, the recent version of the IP address. This allows you to query one DNS and get an answer about internal IPs only if you are asking from your one of your own internal IP address. This is done using the view feature, which includes a conditional. That being said, with your own BIND9 service, you could easily define your public and private IPs. (Now each client has its own reserved private network like with other cloud services such as AWS.) However, DigitalOcean has had all local network traffic on the exact same cables with everyone really having access to everyone else traffic (probably doable with a Man in the Middle attack.) If you just would get a computer in the same data center, having that information certainly gives you one step closer to hacking my traffic. I guess in terms of being hacked, it doesn't make a huge difference if you are on a safe network. I arrived here as I was looking for similar information and was surprised that many say it's fine to leak your private IP addresses. If this doesn't make sense, I'll vote to remove my own post. The existing setup you describe sounds like it does exactly that.ĮDIT: clarification of intent. I would suggest setting up a DMZ address to handle this - a single public IP address that is tightly controlled by any router/firewall you have in place. If you want to get email from the "outside" to come "inside", at some point, the packet has to cross your firewall. As their connection attempts to traverse the internet to your private address, some (sanely configured) router along the way will simply eat the packet alive. Anyone attempting to contact your public DNS server will retrieve the private IP address from DNS, only to send a packet to. Most internet routers recognize it for what it is - a private address that must never be routed to the public internet in a direct fashion, which is what helped the popularity of NAT. No, it's not DNS's fault, it's just doing what it's told to. Yes, it's a broken configuration, but I've seen this (and worse) happen. but if they've also got a server using 192.168.1.2, the mail will go to the wrong place.best case, it bounces, because they've got no route.someone seeing this might try to connect to 192.168.1.2.admin therefore puts both public and internal IP addresses in the DNS.network has internal mail server, but no split DNS.
#SOCKSESCORT CAN NOT HIDE MY PUBLIC DNS SOFTWARE#
The worse problem if your MX records point to that particular host entry is that anyone that does try to send mail to it will at best get mail delivery timeouts.ĭepending on the sender's mail software they may get bounces.Įven worse, if you're using RFC1918 address space (which you should, inside your network) and the sender is too, there's every chance that they'll try and deliver the mail to their own network instead. No, don't put your private IP addresses in the public DNS.įirstly, it leaks information, although that's a relatively minor problem. This will make it clearer that they are intended to be private.however for just one A record, I probably wouldn't bother. If you do decide to put this record into the public DNS space, you might consider creating a separate zone on the same server to hold all the "private" records. ie: External DNS lookups somehow start resolving to an address they can't get to.Īside from that, I see no fundamental reason why putting private address A records into the public space is a problem.especially when you have no alternate DNS server to host them on. The bigger consideration here is making sure your public users don't pickup this DNS record as part of the normal public services of your hosted application. Personally, I think that obfuscation is a poor form of security, especially when we are talking about IP addresses because in general they are easy to guess anyway, so I don't see this as a realistic security compromise. Some people will say no public DNS records should ever disclose private IP addresses.with the thinking being that you are giving potential attackers a leg up on some information that might be required to exploit private systems.
0 kommentar(er)
