| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Re: rfc1918 space dns requests On Tue, 16 Mar 2004 20:44:56 +0100, martin f krafft <madduck@...duck.net> said: > also sprach Valdis.Kletnieks@...edu <Valdis.Kletnieks@...edu> [2004.03.16.1= > 812 +0100]: > > 2) We've got applications making DNS requests that get forwarded > > out to the ISP's servers, where they will almost certainly result > > in either an error reply or a timeout Find ways to use this to > > your advantage. > > I would be interested in how you do that. The obvious is that the usual DNS spoofing hacks often only have a few milliseconds for you to stick in a bogus packet before the real DNS answers - here you have entire seconds to play with. > For ease of maintenance, I have my primary DNS respond with RFC 1918 > addresses for my internal machines. That is, my internal machines > are resolved by a primary DNS server out there on the 'Net, e.g. > sky.madduck.net. I fail to see how this can be a security problem. I know you well enough to know that you almost certainly Got It Right. > I agree that RFC 1918 slipping out by accident could be an > indication of problems in the network, drawing hackers attention > rightfully so. For every one of you, there's probably hundreds of these Getting It Wrong. Bet there's a bunch over at the Dept of the Interior. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040316/1974c3ad/attachment.bin
Powered by blists - more mailing lists