Private IP address in public DNS

Question

We have an SMTP only mail server behind a firewall which will have a public A record of mail.. The only way to access this mail server is from another server behind the same firewall. We do not run our own private DNS server.

Is it a good idea to use the private IP address as an A record in a public DNS server - or is it best to keep these server records in each servers local hosts file?

Answer 1

Some people will say no public DNS records should ever disclose private IP addresses....with the thinking being that you are giving potential attackers a leg up on some information that might be required to exploit private systems.

Personally, I think that obfuscation is a poor form of security, especially when we are talking about IP addresses because in general they are easy to guess anyway, so I don't see this as a realistic security compromise.

The bigger consideration here is making sure your public users don't pickup this DNS record as part of the normal public services of your hosted application. ie: External DNS lookups somehow start resolving to an address they can't get to.

Aside from that, I see no fundamental reason why putting private address A records into the public space is a problem....especially when you have no alternate DNS server to host them on.

If you do decide to put this record into the public DNS space, you might consider creating a separate zone on the same server to hold all the "private" records. This will make it clearer that they are intended to be private....however for just one A record, I probably wouldn't bother.

Answer 2

I had a lengthy discussion on this topic on the NANOG list a while ago. Though I'd always thought it was a bad idea, turns out that it's not such a bad idea in practice. The difficulties mostly come from rDNS lookups (which for private addresses Just Don't Work in the outside world), and when you're providing access to the addresses over a VPN or similar it's important to ensure that the VPN clients are properly protected from "leaking" traffic when the VPN is down.

I say go for it. If an attacker can get anything meaningful from being able to resolve names to internal addresses, you've got bigger security problems.

Answer 3

In general introducing RFC1918 addresses into public DNS will cause confusion, if not a real problem, at some point in the future. Use IPs, host records, or a private DNS view of your zone to use the RFC1918 addresses behind your firewall but not include them in the public view.

To clarify my response based on the other submitted response, I think introducing RFC1918 addresses into public DNS is a faux pas, not a security issue. If someone calls me to trouble shoot an issue and I stumble across RFC1918 addresses in their DNS, I start talking really slowly and asking them if they've rebooted recently. Maybe that's snobbery on my part, I don't know. But like I said, it's not a necessary thing to do and it's likely to cause confusion and miscommunication (human, not computer) at some point. Why risk it?

Answer 4

Though the possibility is remote I think you may be setting yourself up for some of MITM attack.

My concern would be this. Lets say one of your users with a mail client configured to point at that mail server takes their laptop to some other network. What happens if that other network also happens to have the same RFC1918 in use. That laptop may attempt to login to the smtp server and offer the user's credentials to a server that shouldn't have it. This would be particularly true since you said SMTP and didn't mention that you where requiring SSL.

Answer 5

Your two options are /etc/hosts and putting a private IP address in your public zone. I'd recommend the former. If this represents a large number of hosts, you should consider running your own resolver internally, it's not that hard.

Answer 6

No, don't put your private IP addresses in the public DNS.

Firstly, it leaks information, although that's a relatively minor problem.

The worse problem if your MX records point to that particular host entry is that anyone that does try to send mail to it will at best get mail delivery timeouts.

Depending on the sender's mail software they may get bounces.

Even worse, if you're using RFC1918 address space (which you should, inside your network) and the sender is too, there's every chance that they'll try and deliver the mail to their own network instead.

For example:

• network has internal mail server, but no split DNS
• admin therefore puts both public and internal IP addresses in the DNS
• and MX records point to both:

---

 $ORIGIN example.com
 @        IN   MX    mail.example.com
 mail     IN   A     192.168.1.2
          IN   A     some_public_IP

---

• someone seeing this might try to connect to 192.168.1.2
• best case, it bounces, because they've got no route
• but if they've also got a server using 192.168.1.2, the mail will go to the wrong place

Yes, it's a broken configuration, but I've seen this (and worse) happen.

No, it's not DNS's fault, it's just doing what it's told to.

Answer 7

There may be subtle problems with it. One is that common solutions to DNS Rebind attacks filter local DNS entries resolved from public DNS servers. So you either open yourself to rebind attacks, or local addresses don't work, or require more sophisticated configuration (if your software/router even allows it).

Answer 8

If by private you mean a 10.0.0.0/8, a 192.168.0.0/16, or a 172.16.0.0/12, then don't. Most internet routers recognize it for what it is - a private address that must never be routed to the public internet in a direct fashion, which is what helped the popularity of NAT. Anyone attempting to contact your public DNS server will retrieve the private IP address from DNS, only to send a packet to .... nowhere. As their connection attempts to traverse the internet to your private address, some (sanely configured) router along the way will simply eat the packet alive.

If you want to get email from the "outside" to come "inside", at some point, the packet has to cross your firewall. I would suggest setting up a DMZ address to handle this - a single public IP address that is tightly controlled by any router/firewall you have in place. The existing setup you describe sounds like it does exactly that.

EDIT: clarification of intent... (see comments below). If this doesn't make sense, I'll vote to remove my own post.

Answer 9

It's best to keep it in the hosts file. If only one machine is ever supposed to connect to it anyway, what do you gain by putting it into public DNS?

Answer 10

i consider it inconvenient to change a host file on a large qty of hosts, but not a genuine issue. i would consider it a real issue that a critical layer 3 service can fail and latch itself into an unrecoverable scenario because, there was a cyclic dns dependency. hosts files have their place, particulary in layer 3 network operation where we might not be able to assume a dns service works yet.

i am searching for genuine rationale to prohibit by policy the use of reserved private ip network segment addresses.

i see no technical issue with using public dns names to resolve ip address for internal-to-internal use. often in this rare scenario, it's maybe equivalent or less work to use a split dns zone. (using a hosts fine is logically equivalent to a separate dnz zone imo). so i think if you are considering public dns private address, consider if you have a greater topology issue and make sure you're changes work towards resolving that topology.

i do see a vanity problem, that being, there will be countless other networks where the public name in question will accidentally (to the advantage of an attacker) route to resources an attacker controls. the vanity problem being, my dns name can be shown a user while the communication goes to a server i don't control. in this circumstance, protocol dependant things can happen. in http land, the use of hsts and keeping a tls private key secret should provide sufficient vanity, but until browsers decide to consider all webpages served from private networks to be "insecure", there will be the vanity question in http. other protocols, particularly where there is no proof of authenticity like public trust tls (like https), private trust tls (like ssh), or mutual tls (like openvpn), use of public dns that resolves to private dns may bear vanity issues.

some hardware vendors intentionally operate addresses like this, or at least i thought so "routerlogin dot net" may have previously but doesn't now, at least not from where I'm located, or the manufacturer might park that as a black hole address and rely on mitm for either your routing or dns (eg split dns)resolution to implement a user friendly router setup page.

I've had a security firm complain about private dns records for being in spam db's, which kind of makes sense if the spam list is for lazy email operators, but we should also universally agree to not deliver or accept email from a private ip address, especially without proof of authenticity and authentication-- which makes that complaint not make sense to me in the vanity sense.

when i say split dns, I'm specifically referring to operating 2 or more dns zones that claim to be the authority for a name but serve different addresses, eg. a public and private zone for example dot com that resolve as a public or private address respectively.

i think there are technical problems with the use of split zone dns (aka private dns). particularly when any os, or later 3 technology (like a vpn) vendor is involved because at the end of the day, the os's network stack programmer or later 3 operator has more control over your bare dns resolution than you do. in particular, some operating systems use multi cast dns where the fastest dns response is considered authoritative, and i bet you, your private dns server over a vpn will be slower than the isp'a dns cache or resolver, it's simply closer to the end user in hops. this means that is you have a dns name resolve to a public or a private ip address -by circumstance of what network- -in theory- it's supposed to be resolving dns via-- i think you're likely to be a painful situation.

because of this, i prefer to never have one dns record have more than one authoritative answer no matter what it's network topology is.

for me, that means, end users (read as "developers i support") tend to have to deliberately choose if they want to resolve a private address or a public address by choosing between two distinct dns names to use. for their services/applications, but also for their webapps when and where their webapps may be accessible over both private and public networks because of a vpn.

i dislike selectively choosing the routing via dns. ip is meant to be resilient to network failures and this won't be. what would be? to be more "ip" like, would be: to have a canonical ip address (which to be canonical cannot be a private network address), and inject a (/32) route for these addresses that sends packes to a router i control that will repeat this process until the communication reaches my host over a private network such an a vpn+lan without having routed over a public network unless the vpn was off. --for people whom consider managing a few hosts file too burdensome, i suspect managing a route table like this would be much farther from ease. unless you happen to be on ipv6 or are one of the old guard who own class A or class B sized public ip block.

side note, i totally disagree with the use of nat as a defacto "part of the defensive network topology". i e this used where normally there is a handful of public address and a lot of port address translation (especially in docker heavy systems). accidentally configuring a firewall to be "default reject" via of an implementation detail of the isp that accidentally means your isp happens to not currently route any traffic destine to the lan of the firewall-- i think everyone would agree that is a very poor defense strategy, however it is the default one i see everywhere. it's so pervasive that as part of the ipv6 adoption curve, network operators have been confused and demanded technical support for NAT on ipv6 where there is almost zero region other than cargo culting to imminent it, and if you do imminent it, there is a good chance you literally don't have enough ram to build the network mask tables that NAT requires to function, meaning ipv6 nat incurs some strange dynamic characteristics that, i think 20 years ago, would have been seen as a completely irresponsible and risky kind of software to put on a firewall where every assertion needs to be correct the first time and hardened against abuse.

in general, i think the assertion that all public dns records that you own should resolve to hosts you control is a good baseline. and also made perfect sense when you could realistically own more ip addresses than you had cause to need. even now if you have to use private dns i encourage you to host split public dns with a known safe black hole address to resolve such that no network change by friendly or other operators can substantially change your deployment.

i think the fear to disclose private networks addresses and segments is silly any baseless. any attacker already knows which private networks segments you own and operate, the list is small enough to be memorized. it would be more surprising to find out that an operator doesn't use a private network, akin to finding out an operator doesn't use tcp/ip or doesn't use osi.

i don't see any issue with obscure dns names that are publicly resolvable to private network addresses. obscure dns names that, have no chance of brute force discovery, have no chance that a user could devine to intentionally type manually into an address bar. virtually ever dns zone is operated with zone transfers disabled, meaning they are opaque unless you happen to know the exact dns name before resolving. (with zone transfer enabled, anyone can list all your dns records rather than guessing and check)

is because there is a shortage of public ipv4 IP addresses and there are economic factors that force me to occasionally work with less than i need. prolific adoption and use of ipv6 would eliminate by needs for ever using private dns, but ipv6 is very often not deployed because there is cost in the hardware, software, and operational staffing.

final note, sometimes I'm forced to use dns names by middleware, like certain cloud provider's load balancers only work of you can forever use public dns resolution to a resolver controlled by the cloud provider, even when using private address space.

i don't have a dictatorial answer here, just some ideas that i didn't see else where in this thread. "certainly don't if the audience is people, people will make mistakes", "probably don't if you have any other realistic options", "if you have to, it's fine , be careful, and be informed, like anything we do online".

Answer 11

I arrived here as I was looking for similar information and was surprised that many say it's fine to leak your private IP addresses. I guess in terms of being hacked, it doesn't make a huge difference if you are on a safe network. However, DigitalOcean has had all local network traffic on the exact same cables with everyone really having access to everyone else traffic (probably doable with a Man in the Middle attack.) If you just would get a computer in the same data center, having that information certainly gives you one step closer to hacking my traffic. (Now each client has its own reserved private network like with other cloud services such as AWS.)

That being said, with your own BIND9 service, you could easily define your public and private IPs. This is done using the view feature, which includes a conditional. This allows you to query one DNS and get an answer about internal IPs only if you are asking from your one of your own internal IP address.

The setup requires two zones. The selection uses the match-clients. Here is an example of setup from Two-in-one DNS server with BIND9:

acl slaves {
    195.234.42.0/24;    // XName
    193.218.105.144/28; // XName
    193.24.212.232/29;  // XName
};

acl internals {
    127.0.0.0/8;
    10.0.0.0/24;
};

view "internal" {
    match-clients { internals; };
    recursion yes;
    zone "example.com" {
        type master;
        file "/etc/bind/internals/db.example.com";
    };
};
view "external" {
    match-clients { any; };
    recursion no;
    zone "example.com" {
        type master;
        file "/etc/bind/externals/db.example.com";
        allow-transfer { slaves; };
    };
};

Here is the external zone and we can see IPs are not private

; example.com
$TTL    604800
@       IN      SOA     ns1.example.com. root.example.com. (
                     2006020201 ; Serial
                         604800 ; Refresh
                          86400 ; Retry
                        2419200 ; Expire
                         604800); Negative Cache TTL
;
@       IN      NS      ns1
        IN      MX      10 mail
        IN      A       192.0.2.1
ns1     IN      A       192.0.2.1
mail    IN      A       192.0.2.128 ; We have our mail server somewhere else.
www     IN      A       192.0.2.1
client1 IN      A       192.0.2.201 ; We connect to client1 very often.

As for the internal zone, we first include the external zone, which is how it works. i.e. if you are an internal computer, you only access the internal zone so you still need the external zone definitions, hence the $include command:

$include "/etc/bind/external/db.example.com"
@       IN      A       10.0.0.1
boss    IN      A       10.0.0.100
printer IN      A       10.0.0.101
scrtry  IN      A       10.0.0.102
sip01   IN      A       10.0.0.201
lab     IN      A       10.0.0.103

Finally, you have to make sure that all your computers now make use of that DNS and its slaves. Assuming a static network, it would mean editing your /etc/network/interfaces file and using your DNS IPs in the nameserver option. Something like this:

iface eth0 inet static
    ...
    nameserver 10.0.0.1 10.0.0.103 ...

Now you should be all set.