[H-GEN] RFC-1918 : Class C Networks.
Edwin Groothuis
edwin at mavetju.org
Tue Sep 6 21:12:41 EDT 2005
On Wed, Sep 07, 2005 at 11:02:41AM +1000, Greg Black wrote:
> The correct solution is to have the internal addresses given out
> to internal hosts and for lookups from outside to get failures.
> Handing out inaccessible addresses in response to queries is
> just wrong.
No it's not.
Imagine this:
- External user tries to connect to internal webserver.
- DNS server returns NXDOMAIN. Entry stays in DNS server for its
TTL. User has it also cached on his computer.
- External user thinks "I'm an idiot, I forgot to setup my VPN"
- External user becomes internal user and tries to access the
internal webserver.
- DNS cache says "NXDOMAIN".
Yes yes, it's all theoretical[sp] and stuff, but we live in a gray
world where sometimes things are right and sometimes the same things
are wrong.
Edwin
--
Edwin Groothuis | Personal website: http://www.mavetju.org
edwin at mavetju.org | Weblog: http://weblog.barnet.com.au/edwin/
More information about the General
mailing list