[Pdns-users] Private IP Addresses in DNS Records
nmilas at admin.noa.gr
Fri May 14 15:13:13 UTC 2021
On 14/5/2021 3:50 μ.μ., Kevin P. Fleming wrote:
> I agree with this sentiment; my publicly-visible zones contain records
> with both private addresses and with non-reachable public addresses
> (IPv6 GUAs), and I'm fine with that. If someone can learn the address
> of one of those systems, that doesn't cause any harm.
Hmm, probably you mean IPv6 Link-local addresses (rather than GUAs);
GUAs are reachable indeed.
However, the whole point of the discussion is exactly how to avoid
publishing non-reachable (private and link-local) addresses to the
Internet, and it seems to me that what you suggest is in fact the
opposite of what Brian suggested.
Yet, it is important to know that by publishing to the Internet records
with private and/or link-local addresses is not considered bad practice!
Is there any documentation (RFC or good practice guidelines) on this
I fully understand and accept Brian's point on running a separate
internal authoritative server, but if I could do the job by using a
single authoritative server while keeping a subzone private, that would
save me valuable administrative cost and would make my admin life
easier, especially when taking into account that we are a relatively
small organization with relatively few RRs.
So, if someone (Frank?) can hint on how to block AXFRs/requests for a
delegated subzone (nevertheless hosted on the same authoritative
server), that would accomplish what we require while keeping admin
Thanks everyone for your feedback! I still hope that there is a solution
with our current setup (slightly reconfigured).
More information about the Pdns-users