[H-GEN] RFC-1918 : Class C Networks.

[Andrew Meaden]

>> > you look up fremantle.binke.com.au, you will see that it's IP address 
>> > is
>> > 192.168.4.3 - unreachable from most of the internet, but over our 
>> > VPN's,
>> > perfectly reachable.
>> So bogus answers ae being handed out to the 'net at large.  Better to
>> prevent anyone from getting knowledge about fremantle.binke.com.au
>> (apparently an internal host) if they don't need it.
> Not to mention that (a) you are giving away a fair amount of information
> about how your internal network is set up; and (b) an attacker could
> host a convenient wireless network assigning addresses in the
> 192.168.4.0/24 network and spoof fremantle by setting up dummy services.

As I said, the host isn't internal at all, it's in a colo facility far away. 
The VPN's that connect into the VPN server (physically located here) are 
from various parts of the internet, and we don't have control over the DNS 
from some of these networks. We could simply force these users to 
reconfigure their DNS I suppose, but most of these simply use the IP handed 
to them by their ISP when they connect to the internet. I know our setup 
pushes various routes to the VPN clients, I imagine it would have a facility 
to attach extra nameserver information to the virtual interfaces it uses for 
connectivity. Well worth a look in, in any case.

The actual network the machine lives on is not internal at all, it's a 
completely seperate subnet running between 3 hosts physically located in a 
colo facility. 2 of the machines are publicly accessible through another 
network they're connected to (and this one is connected to the live 
internet) in addition to their internal network connectivity. The machine is 
pretty much entirely dedicated to serving as a backup host for the other 2 
machines. It's not an internal host, it just isn't deserving of a real world 
IP :)

-- Andrew