[H-GEN] RFC-1918 : Class C Networks.

Edwin Groothuis edwin at mavetju.org
Tue Sep 6 21:12:41 EDT 2005


On Wed, Sep 07, 2005 at 11:02:41AM +1000, Greg Black wrote:
> The correct solution is to have the internal addresses given out
> to internal hosts and for lookups from outside to get failures.
> Handing out inaccessible addresses in response to queries is
> just wrong.

No it's not.

Imagine this:

- External user tries to connect to internal webserver.
- DNS server returns NXDOMAIN. Entry stays in DNS server for its
  TTL. User has it also cached on his computer.
- External user thinks "I'm an idiot, I forgot to setup my VPN"
- External user becomes internal user and tries to access the
  internal webserver.
- DNS cache says "NXDOMAIN".

Yes yes, it's all theoretical[sp] and stuff, but we live in a gray
world where sometimes things are right and sometimes the same things
are wrong.

Edwin
-- 
Edwin Groothuis      |            Personal website: http://www.mavetju.org
edwin at mavetju.org    |          Weblog: http://weblog.barnet.com.au/edwin/




More information about the General mailing list