16

If an external DNS server is leaking internal IP addresses are there any significant security threats associated with this information leakage?

Apart from most the obvious - gaining an understanding of the internal IP ranges in use.

Cisco.com for example: http://www.dnsdumpster.com/report.php?domain=cisco.com

AviD
  • 72,138
  • 22
  • 136
  • 218
StephenG
  • 161
  • 1
  • 3

2 Answers2

10

There is probably no great harm from revealing internal IP addresses inside the firewall. While there are some risks, they seem fairly modest to me.

Here are the risks I can see:

  • Information gathering. It reveals something about the internal IP ranges in use. If an attacker were to breach some internal system, this information might make an attacker's life somewhat easier, by suggesting some other internal systems that the attacker could go after. It might also reveal a little bit about organizational structure.

  • CSRF attacks. It might also make CSRF attacks slightly easier. In a CSRF attack, a user inside the firewall visits a malicious website, and the malicious website sends back to the user's browser a HTML document that causes the user's browser to connect to another machine. If the malicious website knows the address of another internal machine, it can try to trigger a connection to that internal machine and attack it (subverting the organization's firewall). However, these attacks can also happen even without knowledge of other internal machines (e.g., Javascript can be used to portscan internal machines), so while knowledge of an internal machine's address may increase the risk somewhat, it is not essential to an attacker.

Based on this, I wouldn't stress out too much about trying to prevent internal IP addresses from leaking. There will probably be other security activities that are a better use of your time and should be a higher priority.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 1
    I generally agree with D.W., but it depends on your network's security model. If your security model requires the IP address of certain machines to be confidential, then it is a problem. Kerckhoffs' principle implies that with limited security resources, keeping too many things confidential will lower your overall security. So, requiring confidential IP addresses is generally not a good idea. – this.josh Jun 27 '11 at 20:38
  • 1
    Re CSRF, a very similar attack can sometimes be mounted on other protocols, besides HTTP. I.e. you might be trying to attack the database server, DC, fileserver, etc... But as you said, though the IP address would definitely make it *easier* for the attacker, it's not *necessary*, since he could just do a portscan and eventually find the same information. On the other hand, portscans are usually noisy and can be detected, as opposed to a direct assault on the known IP. That said, as @this.josh commented, there should be other controls in place, and not just relying on the secrecy of the IP. – AviD Jun 28 '11 at 09:13
0

There is a lot of information (including links to the original CAIDA studies) about negative DNS available at AS112.net

If you know how BGP (it's an IETF standard that makes the Internet work by routing autonomous systems, or ASes, through a path vector routing protocol) and DNS (it's another IETF standard that makes the Internet work by allowing DNS servers to access a root name server infrastructure) works, then you understand that there are neutral operators out there that run the infrastructure that keeps the Internet going.

As you can see from the CAIDA research, RFC1918 DNS PTR records started to leak out to the global Internet around 1997. The root name servers could not handle the load of this extra traffic, even with the a more advanced Anycast setup when BGP announcements of more-specific /24 IPv4 prefixes were utilized with a root name server on a /32 IBGP announcement.

An entire AS was created to handle the extra load of this traffic, and it also utilized Anycast. Organizations are probably slamming their own outbound firewall rules with this DNS traffic, affecting their performance as well (especially in huge egress outlets). The autonomous system for this negative DNS traffic is AS 112. It's website (and more information about the history and statistics of the growth of this negative DNS traffic is hosted there).

atdre
  • 18,885
  • 6
  • 58
  • 107
  • 4
    I don't see how this answers the question (namely, whether there's any significant harm from leaking internal IP addresses). Can you elaborate on how it is relevant? – D.W. Jun 27 '11 at 17:08
  • 1
    I hate to be so critical, but I still don't see how this answers the original question. The question was whether there are any significant security threats from leaking internal IP addresses. What's your take on that question? – D.W. Jun 28 '11 at 06:17
  • @atdre I could be misunderstanding, I'm sorry If I am; but it seems to me that you are talking about performance issues. I think the question was about security risks. If there are security related points you are making, I failed to pick it out of your answer. – 7wp Jul 14 '14 at 04:00
  • I'm talking about security issues, not performance issues. Check out more at -- https://web.archive.org/web/20050728133540/http://www.as112.net/ – atdre Jul 15 '14 at 03:23