[H-GEN] RFC-1918 : Class C Networks.
Greg Black
gjb at gbch.net
Tue Sep 6 21:20:18 EDT 2005
On 2005-09-07, Edwin Groothuis wrote:
> On Wed, Sep 07, 2005 at 11:02:41AM +1000, Greg Black wrote:
>> The correct solution is to have the internal addresses given out
>> to internal hosts and for lookups from outside to get failures.
>> Handing out inaccessible addresses in response to queries is
>> just wrong.
>
> No it's not.
Yes it is.
> Imagine this:
>
> - External user tries to connect to internal webserver.
> - DNS server returns NXDOMAIN. Entry stays in DNS server for its
> TTL. User has it also cached on his computer.
> - External user thinks "I'm an idiot, I forgot to setup my VPN"
> - External user becomes internal user and tries to access the
> internal webserver.
> - DNS cache says "NXDOMAIN".
External user has setup her system to use the wrong DNS cache in
that case. Part of setting up the VPN would involve updating
/etc/resolv.conf appropriately. And then the so-called problem
goes away.
It is, as I said, a matter of understanding how things work and
then doing things the right way.
> Yes yes, it's all theoretical[sp] and stuff, but we live in a gray
> world where sometimes things are right and sometimes the same things
> are wrong.
That may be partly true, but it's certainly not the case in the
situation we're discussing here.
Cheers, Greg
More information about the General
mailing list