private IP reverse DNS on public Server - A bad idea?

Question

This question somewhat relates to Another question but the other way around.

We use one domain with hostnames that resolve to public and hostnames that relsolve to private IPs. I agree to the answer to the aforementioned question that I don't see this as a security thread. Especially relative to the afford of configuring and running an Split-Brain-DNS for this important domain.

Therefore we decided that we will not host internal DNS Servers and therefore won't have reverse DNS for internal IPs. Now I found out that I can register the domain '10.in-addr.arpa' with our DNS provider. So I could in theory host my reverse DNS zone there. I could configure the local caching DNS Servers on all sites to lookup requests for 10.in-addr.arpa on that server and would have reverse DNS working + the API and interface of our DNS provider.

On the other side that is a public DNS server. So everyone asking it for e.g. 1.0.0.10.in-addr.arpa would get our local hostname as response.

Do you think this is a bad idea aside from the aforementioned information leakage that we are willing to accept.

Answer 1

I wouldn't do it, myself.

Firstly, you're asking your DNS provider to serve a zone you don't actually own. The fact that you can do it is probably just an oversight on their part, and frankly I'd be a bit concerned that either they won't properly do conflict avoidance (that is to say, if another of their customers has the same idea, you might end up fighting over records) or they'll sooner or later discover what you've done and disable that ability.

Secondly, it's not hard to scan all publicly-accessible DNS servers to see if they think they're authoritative for the private zones (SOA requests for 10.in-addr.arpa, 12.172.in-addr.arpa, etc). I don't work in threat intel, so I don't know if anyone's already doing that, but I wouldn't be surprised if they were, because...

Once you've found that a given DNS server is serving a given reverse zone, enumerating that reverse zone is a lot easier than enumerating a forward zone (start at 1.0.0.10.in-addr.arpa and work your way up), and you get a much more comprehensive view of the internal network and its contents than you would by trying to enumerate common names in the forward zone.

Sure, this isn't a security hole you could drive a truck through (the attacker has to still figure out how to get at the machines to hit them), but I feel like being able to enumerate a seemingly-private reverse zone is uncomfortably close to a zone transfer (which DNS servers don't generally allow).

It's possible that your DNS provider is capable of doing access-limited DNS zones ("only serve this zone when requests come from these IP addresses"), which would be an effective compromise. Given that running DNS servers isn't rocket science, though, personally I'd just throw up a few internally and be done with it. You've got to configure your internal resolvers to point to a custom location anyway.

Answer 2

It's not a problem.

Any normal search for 10.in-addr.arpa. will follow the normal chain down from the root and end up at IANA's blackhole name servers. So the only queries for that name that should reach your servers are those specifically and deliberately sent there. If someone gets a problem because of that, they have only themselves to blame.

Answer 3

It's important to understand how the public authoritative DNS works with delegation.

Just because your ISP allows you to create the zone, does not necessarily mean that your reverse zones are where the internet point to.

For most hosted DNS services they allow you to create whatever zone you want. BUT it will not be reached unless the delegation chain exists, pointing to your DNS servers (or your ISPs) as the main authority for those zones.

If I make a 10.10.in-addr.arpa. zone on my AWS DNS service, it will work if I look up against that DNS server directly. But the actual authority for 10.10.in-addr.arpa. is elsewhere. So when a regular user looks up that reverse space, they will go through the delegation change (arpa NS servers point to the in-addr.arpa name servers, which point to the 10.in-addr.arpa name servers, which point to the 10.10.in-addr.arpa name servers.

So if you are actually supposed to be authoritative (as in you own that public IP space), you will need to configure the delegation from the parent servers before your zones get used.

Also, yes it is a bad idea to be putting your internal reverse space on the external public internet, especially if it is actually authoritative and being properly delegated. There are few reasons to do this publicly.

You are better off creating a separate cloud DNS server that hosts that reverse space, and is not delegated, and restricts queries to only those subnets that belong to you. After that you can set up forwarding on your recursive servers to manually point to this DNS server for any reverse space you're using internally.