[Pdns-users] Private IP Addresses in DNS Records

Nikolaos Milas nmilas at admin.noa.gr
Fri May 14 15:13:13 UTC 2021

On 14/5/2021 3:50 μ.μ., Kevin P. Fleming wrote:

> I agree with this sentiment; my publicly-visible zones contain records
> with both private addresses and with non-reachable public addresses
> (IPv6 GUAs), and I'm fine with that. If someone can learn the address
> of one of those systems, that doesn't cause any harm.

Hmm, probably you mean IPv6 Link-local addresses (rather than GUAs); 
GUAs are reachable indeed.

However, the whole point of the discussion is exactly how to avoid 
publishing non-reachable (private and link-local) addresses to the 
Internet, and it seems to me that what you suggest is in fact the 
opposite of what Brian suggested.

Yet, it is important to know that by publishing to the Internet records 
with private and/or link-local addresses is not considered bad practice! 
Is there any documentation (RFC or good practice guidelines) on this 

I fully understand and accept Brian's point on running a separate 
internal authoritative server,  but if I could do the job by using a 
single authoritative server while keeping a subzone private, that would 
save me valuable administrative cost and would make my admin life 
easier, especially when taking into account that we are a relatively 
small organization with relatively few RRs.

So, if someone (Frank?) can hint on how to block AXFRs/requests for a 
delegated subzone (nevertheless hosted on the same authoritative 
server), that would accomplish what we require while keeping admin 
effort low.

Thanks everyone for your feedback! I still hope that there is a solution 
with our current setup (slightly reconfigured).


More information about the Pdns-users mailing list