Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    Putting 192.168 addresses in public DNS
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    Putting 192.168 addresses in public DNS

    raindog308raindog308 Moderator

    On my home LAN I have a dozen or so PCs, servers, and VMs. I use a domain for all my home stuff and rather than setting up DNS at home, it occurred to me I could just put A records with 192.168.* records in my registrar's DNS.

    So if I look up tentaclehentaiserver.mydomain.com it would come back as 192.168.1.15. Obviously, you can't get to it unless you're on my LAN.

    It seems weird but I am having a hard time thinking of a downside. Running my own DNS at home isn't hard but then I have to make it redundant, etc. and set it up as a recursive server since I'd have to point clients at it. Right now I'm just copying a host file around, and sometimes when a family member wants to go to our home web server they have to type in the IP address or edit their local hosts, etc.

    The only exposure I can think of is that if someone managed to do a zone transfer, they'd have a list of all the servers in my house, though my registrar's DNS doesn't allow zone transfers.

    I'm sure RFC1918 entries weren't necessarily meant to be in public DNS but...what does it really hurt?

    Thanked by 1GM2015

    For LET support, please visit the interim support desk.

    Comments

    • AnthonySmithAnthonySmith Top Provider

      I am face palming at the fact I never considered this myself....

      Had enough of the scams on lowendbox, lowendtalk is now being infiltrated by corruption so I have chosen to make an low end exit #lexit for now - you can find me HERE

    • LordSpockLordSpock Member, Provider

      Should work fine, some big router companies do it.

    • @AnthonySmith said:
      I am face palming at the fact I never considered this myself....

      Live stream it XD

    • teknolaizteknolaiz Member
      edited August 2015

      I only say "hosts" file. Whenever I need to point a domain to a local IP or a IP of a different server without leaking it I simply make entries into the hosts file. Works even if I use like 3 different DNS server per protocol (3 for IPv4 and 3 for IPv6). Make it globaly work? I replace the hosts file of the gateway.

      But I see this probably would be really easier than that though :) . Good job figuring out!

      I'm on vacation in Belize.

    • I do this! No issues so far, with cloudflare for DNS.

    • I do the same. Love your tags, btw.

      Thanked by 1raindog308

      "Actually, throughout my life, my two greatest assets have been mental stability and being, like, really smart.", Stephen Hawking, 2017. Join the Amitz party here.

    • WilliamWilliam Member, Provider

      if you run pfsense it will hijack and block the query, theres some RFC for that to prevent local attacks.

      Thanked by 1outime
    • scyscy Member

      raindog308 said: Running my own DNS at home isn't hard but then I have to make it redundant, etc.

      Well home dns on your own lan could be nice: you set up a simple resolver and you add your own custom domains (pdnsd could do that easily). Once cached locally everything will be faster and more secure as your own server won't easily lie to you.

      And why would you need it to be redundant? If the machine that hosts your dns server goes down, just fix it :) (well, it assumes that you have a machine that stays online 24/7)

    • @William said:
      if you run pfsense it will hijack and block the query, theres some RFC for that to prevent local attacks.

      Pretty sure you can turn that off,

      RFC1918 IP's in public DNS servers is somewhat frowned upon and some providers of caching/forwarding nameservers will block them from appearing (I think openDNS offers such an option).

      I think some in the security industry will probably also say it's a bad idea reveals information about your internal network.

      All that said, it's not going to break the internet if did do it and it's by far not the worst thing you could do.

      I've had to do it in the past for a captive portal on a very basic Wi-FI install (Didn't have a local DNS resolver)

    • Same, no issues with doing it at all. Defiantly makes it a lot more manageable, and removes the whole edit the host file as admin requirement.

    • IshaqIshaq Member, Provider
      edited August 2015

      There's a site dedicated to this:

      routerlogin.net

      [BudgetNode] DDoS Protected. 7 Locations (US/EU). Check out our latest offer!
    • J1021J1021 Member
      edited August 2015

      Ishaq said: There's a site dedicated to this:

      routerlogin.net

      Not quite. Most home routers are running a DNS proxy and return 192.168.0.1 or whatever themselves.

      Jacks-MacBook-Air:~ jackxxx$ dig a routerlogin.net
      
      ; <<>> DiG 9.8.3-P1 <<>> a routerlogin.net
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50970
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
      
      ;; QUESTION SECTION:
      ;routerlogin.net.       IN  A
      
      ;; AUTHORITY SECTION:
      routerlogin.net.    900 IN  SOA nsone.netgear.com. dns.netgear.com. 22 10800 3600 2592000 900
      
      ;; Query time: 361 msec
      ;; SERVER: 109.74.192.20#53(109.74.192.20)
      ;; WHEN: Mon Aug 31 00:10:16 2015
      ;; MSG SIZE  rcvd: 90
      
      Jacks-MacBook-Air:~ jackxxx$ </pre>
      
    • elgselgs Member

      It doesn't hurt. It only affects those who use your DNS server.

    • Hidden_Refuge said: I replace the hosts file of the gateway.

      That's what I do. Surely it doesn't get any easier than that since whatever you do you'll have to type the numbers once anyway. You can also put all kinds of local short cuts in there as well.

    • Hidden_Refuge said: I replace the hosts file of the gateway.

      Do you mean having your Internet router serve these DNS entries?

      For LET support, please visit the interim support desk.

    • KuJoeKuJoe Member, Provider

      Does anybody run their own DNS servers at home anymore?

      -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
      Need backup space? Check out BackupDragon
    • @KuJoe said:
      Does anybody run their own DNS servers at home anymore?

      I still do, but it's really only a legacy server at this point. I've long ago switched to using .local naming for everything on my LAN.

      I am Impossibly Stupid. Hailed by @jarland as an "incessantly belligerent buffoon." Available for parties. Book early to avoid disappointment.

    • ATHKATHK Member

      Am I right in saying some higher end home routers do this already?

      Mine, being $250+ AUD allows hostnames for the router and attached devices eg

      Router = home.local
      NAS = nas.local

      They do resolve, so a need for an internal or external DNS server in some special cases doesn't have to exist.

    • Already been done for all 4.3 billion IPv4 addresses.

      http://xip.io/

      Excellent for when something claims it needs a hostname rather than an IPv4 only.

      Thanked by 2jrsmith netomx
    • ATHKATHK Member

      @singsing said:
      Already been done for all 4.3 billion IPv4 addresses.

      http://xip.io/

      Excellent for when something claims it needs a hostname rather than an IPv4 only.

      But .. you still have to provide the IP address.. Not great for the non tech savvy..

    • rm_rm_ Member
      edited August 2015

      KuJoe said: Does anybody run their own DNS servers at home anymore?

      I run one used just by my local recursor (not public-facing), so that my own domain keeps resolving at home in case [both] Internet links go down. And yes I do use public DNS for RFC1918 and IPv6 ULA extensively, nothing wrong with that.

    • The advantage of using a public DNS server instead of .local domains is that it also works e.g. through a VPN. You can just connect to your network from anywhere in the world, push the routes for the internal network and all DNS entries will work the same way they would if you were at home. To achieve this behaviour with .local domain names you'd also have to push a DNS server to the VPN clients.

    • gsrdgrdghd said: The advantage of using a public DNS server instead of .local domains is that it also works e.g. through a VPN.

      I use VPN and don't have a problem using host file for local lookup. In Tomato just tick "Intercept DNS port (UDP 53)". I use three letter names for all the computers here and also visitors' initials when I have stuff to show them.

    • It works BUT you're painting a picture of your INTERNAL network for anyone who has the time to query. So I would think its a security risk.

    • jeromeza said: So I would think its a security risk.

      Meh, most everyone starts numbering at 192.168.0.X or 10.0.0.X, doesn't take a lot of work for an attacker to try an attack with a few different values of X to try reach something. Of course, if you're really randomizing within 10/8 a bit of security is lost by publishing the address.

    • KuJoeKuJoe Member, Provider
      edited August 2015

      As somebody who has multiple subnets at home I wouldn't want a map of them anywhere public so I keep my DNS internal. :)

      -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
      Need backup space? Check out BackupDragon
    • rm_rm_ Member
      edited August 2015

      jeromeza said: It works BUT you're painting a picture of your INTERNAL network for anyone who has the time to query.

      How exactly? Are you going to guess my hostnames by dictionary? I hope your dictionary includes Japanese words and Anime character names then? In any case this is going to take a lot longer than just going through all of the RFC1918 ranges (that's even assuming you somehow gained access to the local network in the first place...)

      KuJoe said: multiple subnets at home I wouldn't want a map of them anywhere public

      Okay at home I have one host with IP 192.168.0.214 and another with 192.168.9.117. What exactly does that give you?

      I could even let you know my IPv6 (but they're dynamic), still gives you nothing as no incoming connections from the outside are allowed by the firewall.

      With the way DNS works, no external client can just "list" all the records you have and get your "map", unless AXFR is allowed (which is disabled by default in nameservers and typically allowed to specific client IPs only). So the only way they could get that is via bruteforcing, and again, that isn't anywhere near effective or feasible.

      jeromeza said: So I would think its a security risk.

      Don't mistake your caveman-style "fearing of the unknown" with a genuine and well thought out mitigation of clearly formulated security risks.

      Thanked by 1impossiblystupid
    • Set up samba to broadcast NetBIOS names. Problem solved.

      *I'm assuming the family are using Windows

      Thanked by 1netomx
    • rm_ said: I hope your dictionary includes Japanese words and Anime character names then?

      I hope your passwords aren't chosen on the basis that Anime characters can't be part of a "dictionary" attack.

    • rm_ said: Okay at home I have one host with IP 192.168.0.214 and another with 192.168.9.117. What exactly does that give you?

      I could even let you know my IPv6 (but they're dynamic), still gives you nothing as no incoming connections from the outside are allowed by the firewall.

      If I use a browser exploit to attack low-hanging fruit on your LAN, I can then turn around and attack your more important machines on your LAN from within the LAN, even without root permissions on the beachhead machine (with root permissions it would be easier to do packet sniffing to discover local addresses). Exporting any NFS or Samba shares to your LAN from your shiny otherwise-firewalled Linux box? Maybe not you, but many people do, and these softwares are far from perfect. Randomization is a good idea.

    • @LordSpock said:
      Should work fine, some big router companies do it.

      yup netgear has done this for ages

      We are star-stuff. We are the Universe, made manifest, trying to figure itself out.

    • rm_rm_ Member

      I hope your passwords aren't chosen on the basis that Anime characters can't be part of a "dictionary" attack.

      Certainly not, but as you probably realize passwords are several orders of magnitude more valuable data than a hostname (which might resolve to a private IP, and which is most likely firewalled even if not).

    • KuJoeKuJoe Member, Provider
      edited August 2015

      rm_ said: Okay at home I have one host with IP 192.168.0.214 and another with 192.168.9.117. What exactly does that give you?

      I could even let you know my IPv6 (but they're dynamic), still gives you nothing as no incoming connections from the outside are allowed by the firewall.

      With the way DNS works, no external client can just "list" all the records you have and get your "map", unless AXFR is allowed (which is disabled by default in nameservers and typically allowed to specific client IPs only). So the only way they could get that is via bruteforcing, and again, that isn't anywhere near effective or feasible.

      What about the people on my network? Obviously I don't want my neighbors or guests knowing what subnet camera1.my.domain is on or what subnet I have my important NAS on. I'm not worried about people on the internet, I'm worried about people who either know one of my WIFI passwords or people who want to break into my house.

      I understand I'm a special case and I'm not saying what others are doing is a bad idea it's just a bad idea for me and I won't do it for security reasons.

      -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
      Need backup space? Check out BackupDragon
    • rm_rm_ Member

      KuJoe said: I don't want my neighbors or guests knowing what subnet camera1.my.domain is on or what subnet I have my important NAS on.

      Set up your network so that these are on separate VLANs/SSIDs, and that the guest ones don't have access to sensitive ones.

      Thanked by 1netomx
    • People knowing your wifi password can probably just scan your private subnet to find out all your devices if they want to. People breaking in your house.. they are not after your IPs :)

      Thanked by 1vedran

      -

    • ATHKATHK Member

      With WPS pin enabled its not difficult to get access with Kali Linux anyway, any kid can do it now days.. Make sure that shiz is turned off..

    • KuJoeKuJoe Member, Provider

      @rm_ said:
      Set up your network so that these are on separate VLANs/SSIDs, and that the guest ones don't have access to sensitive ones.

      I can't find a way to setup VLANs on wireless interfaces especially when the guest interface is a slave to the primary interface. If I could VLAN my network off then things would be much easier although my biggest security issue is physical and not wireless though so VLANs won't protect me from people wanting access to my security system.

      rds100 said: People knowing your wifi password can probably just scan your private subnet to find out all your devices if they want to. People breaking in your house.. they are not after your IPs :)

      People breaking into my house would probably love to disable my security system though. ;)

      -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
      Need backup space? Check out BackupDragon
    • KuJoeKuJoe Member, Provider

      I'm not sure how we got so off topic since these security concerns don't affect 99% of people. I already said my case is extremely rare and people in my situation probably don't care as much about network security as I do.

      -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
      Need backup space? Check out BackupDragon
    • rm_rm_ Member

      KuJoe said: I can't find a way to setup VLANs on wireless interfaces especially when the guest interface is a slave to the primary interface. If I could VLAN my network off then things would be much easier although my biggest security issue is physical and not wireless though so VLANs won't protect me from people wanting access to my security system.

      For wireless you set up two different SSIDs, and then bridge those SSIDs with trusted/guest VLANs on the wired side (if that's even required; could just give the guest SSID access to WAN only). This all is easily done with e.g. OpenWRT.

    • KuJoeKuJoe Member, Provider

      rm_ said: For wireless you set up two different SSIDs, and then bridge those SSIDs with trusted/guest VLANs on the wired side (if that's even required; could just give the guest SSID access to WAN only). This all is easily done with e.g. OpenWRT.

      When I was researching this Mikrotik only allowed one VLAN for all wireless interfaces (since they are all the same physical interface with just virtual interfaces). I'll look into it but as of a few months ago it either wasn't possible or nobody on their forum could figure out how.

      -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
      Need backup space? Check out BackupDragon
    • IshaqIshaq Member, Provider

      raza19 said: yup netgear has done this for ages

      Because Netgear own routerlogin.net

      kcaj said: Not quite.

      Hm, you're right. I didn't bother querying the domain externally.

      [BudgetNode] DDoS Protected. 7 Locations (US/EU). Check out our latest offer!
    • IshaqIshaq Member, Provider

      ATHK said: With WPS pin enabled

      There's actually a newer WPS exploit that isn't PIN bruteforcing, called pixiedust.

      If the router's network chipset is vulnerable (I think Ralink, Realtek, and some Broadcom are.) it can calculate the WPS PIN after scripts like reaver sniff the hashes during a transaction.

      Look it up. It's quite interesting.

      Thanked by 3netomx singsing ATHK
      [BudgetNode] DDoS Protected. 7 Locations (US/EU). Check out our latest offer!
    • perennateperennate Member, Provider

      singsing said: If I use a browser exploit to attack low-hanging fruit on your LAN, I can then turn around and attack your more important machines on your LAN from within the LAN, even without root permissions on the beachhead machine (with root permissions it would be easier to do packet sniffing to discover local addresses). Exporting any NFS or Samba shares to your LAN from your shiny otherwise-firewalled Linux box? Maybe not you, but many people do, and these softwares are far from perfect. Randomization is a good idea.

      Really, randomization for IPv4??

    • @kcaj said:
      Jacks-MacBook-Air:~ jackxxx$

      You didn't get the pun my friend.

      768MB RAM, 2 vCPU, 50GB SSD, 1TB BW @ 5$ [Free Trial for 14 days] Grab now

    • perennate said: Really, randomization for IPv4??

      Depends what kind of attack, against some it may help. If an attack is based on fooling the browser into making a connect() to a LAN address, but only once per page load, or you can only have one outstanding connection with a long timeout, you can see why it would be hard to scan an /8. If you also randomize the ports you put services on on your LAN, you require even more throughput for an attacker to find services.

    • Nat IPv4?

      yyyyyy

    • perennateperennate Member, Provider
      edited August 2015

      singsing said: Depends what kind of attack, against some it may help. If an attack is based on fooling the browser into making a connect() to a LAN address, but only once per page load, or you can only have one outstanding connection with a long timeout, you can see why it would be hard to scan an /8. If you also randomize the ports you put services on on your LAN, you require even more throughput for an attacker to find services.

      If you're connecting from browser attack, presumably browser would have access to the private DNS infrastructure (otherwise it could be firewalled from whatever sensitive services are running).

      Anyway I suppose for some situations you might care, but in this case it sounds like the convenience outweighs the potential security risk.

    • Keep in mind that such things are called "DNS Rebinding" attacks. Many DNS servers filter this by default and you might run into issues if you for example use a laptop that needs to resolve a domain into an IP address inside a VPN when you're at some public WiFi.

      me | I'm running a large amount of OpenNIC's uncensored, open and democratic alternative Tier2 DNS resolvers. Now with Anycast! | We also provide a lot of locations and providers on our Looking Glass

    Sign In or Register to comment.