Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Putting 192.168 addresses in public DNS
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Putting 192.168 addresses in public DNS

raindog308raindog308 Administrator, Veteran

On my home LAN I have a dozen or so PCs, servers, and VMs. I use a domain for all my home stuff and rather than setting up DNS at home, it occurred to me I could just put A records with 192.168.* records in my registrar's DNS.

So if I look up tentaclehentaiserver.mydomain.com it would come back as 192.168.1.15. Obviously, you can't get to it unless you're on my LAN.

It seems weird but I am having a hard time thinking of a downside. Running my own DNS at home isn't hard but then I have to make it redundant, etc. and set it up as a recursive server since I'd have to point clients at it. Right now I'm just copying a host file around, and sometimes when a family member wants to go to our home web server they have to type in the IP address or edit their local hosts, etc.

The only exposure I can think of is that if someone managed to do a zone transfer, they'd have a list of all the servers in my house, though my registrar's DNS doesn't allow zone transfers.

I'm sure RFC1918 entries weren't necessarily meant to be in public DNS but...what does it really hurt?

Thanked by 1GM2015
«1

Comments

  • AnthonySmithAnthonySmith Member, Patron Provider

    I am face palming at the fact I never considered this myself....

  • LordSpockLordSpock Member, Host Rep

    Should work fine, some big router companies do it.

  • @AnthonySmith said:
    I am face palming at the fact I never considered this myself....

    Live stream it XD

  • teknolaizteknolaiz Member
    edited August 2015

    I only say "hosts" file. Whenever I need to point a domain to a local IP or a IP of a different server without leaking it I simply make entries into the hosts file. Works even if I use like 3 different DNS server per protocol (3 for IPv4 and 3 for IPv6). Make it globaly work? I replace the hosts file of the gateway.

    But I see this probably would be really easier than that though :) . Good job figuring out!

  • I do this! No issues so far, with cloudflare for DNS.

  • I do the same. Love your tags, btw.

    Thanked by 1raindog308
  • if you run pfsense it will hijack and block the query, theres some RFC for that to prevent local attacks.

    Thanked by 1outime
  • scyscy Member

    raindog308 said: Running my own DNS at home isn't hard but then I have to make it redundant, etc.

    Well home dns on your own lan could be nice: you set up a simple resolver and you add your own custom domains (pdnsd could do that easily). Once cached locally everything will be faster and more secure as your own server won't easily lie to you.

    And why would you need it to be redundant? If the machine that hosts your dns server goes down, just fix it :) (well, it assumes that you have a machine that stays online 24/7)

  • @William said:
    if you run pfsense it will hijack and block the query, theres some RFC for that to prevent local attacks.

    Pretty sure you can turn that off,

    RFC1918 IP's in public DNS servers is somewhat frowned upon and some providers of caching/forwarding nameservers will block them from appearing (I think openDNS offers such an option).

    I think some in the security industry will probably also say it's a bad idea reveals information about your internal network.

    All that said, it's not going to break the internet if did do it and it's by far not the worst thing you could do.

    I've had to do it in the past for a captive portal on a very basic Wi-FI install (Didn't have a local DNS resolver)

  • MikePTMikePT Moderator, Patron Provider, Veteran

    I've done this for years, and that's fine :-).

  • Same, no issues with doing it at all. Defiantly makes it a lot more manageable, and removes the whole edit the host file as admin requirement.

  • IshaqIshaq Member
    edited August 2015

    There's a site dedicated to this:

    routerlogin.net

  • J1021J1021 Member
    edited August 2015

    Ishaq said: There's a site dedicated to this:

    routerlogin.net

    Not quite. Most home routers are running a DNS proxy and return 192.168.0.1 or whatever themselves.

    Jacks-MacBook-Air:~ jackxxx$ dig a routerlogin.net
    
    ; <<>> DiG 9.8.3-P1 <<>> a routerlogin.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50970
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;routerlogin.net.       IN  A
    
    ;; AUTHORITY SECTION:
    routerlogin.net.    900 IN  SOA nsone.netgear.com. dns.netgear.com. 22 10800 3600 2592000 900
    
    ;; Query time: 361 msec
    ;; SERVER: 109.74.192.20#53(109.74.192.20)
    ;; WHEN: Mon Aug 31 00:10:16 2015
    ;; MSG SIZE  rcvd: 90
    
    Jacks-MacBook-Air:~ jackxxx$ </pre>
    
  • elgselgs Member

    It doesn't hurt. It only affects those who use your DNS server.

  • Hidden_Refuge said: I replace the hosts file of the gateway.

    That's what I do. Surely it doesn't get any easier than that since whatever you do you'll have to type the numbers once anyway. You can also put all kinds of local short cuts in there as well.

  • raindog308raindog308 Administrator, Veteran

    Hidden_Refuge said: I replace the hosts file of the gateway.

    Do you mean having your Internet router serve these DNS entries?

  • KuJoeKuJoe Member, Host Rep

    Does anybody run their own DNS servers at home anymore?

  • @KuJoe said:
    Does anybody run their own DNS servers at home anymore?

    I still do, but it's really only a legacy server at this point. I've long ago switched to using .local naming for everything on my LAN.

  • ATHKATHK Member

    Am I right in saying some higher end home routers do this already?

    Mine, being $250+ AUD allows hostnames for the router and attached devices eg

    Router = home.local
    NAS = nas.local

    They do resolve, so a need for an internal or external DNS server in some special cases doesn't have to exist.

  • Already been done for all 4.3 billion IPv4 addresses.

    http://xip.io/

    Excellent for when something claims it needs a hostname rather than an IPv4 only.

    Thanked by 2jrsmith netomx
  • ATHKATHK Member

    @singsing said:
    Already been done for all 4.3 billion IPv4 addresses.

    http://xip.io/

    Excellent for when something claims it needs a hostname rather than an IPv4 only.

    But .. you still have to provide the IP address.. Not great for the non tech savvy..

  • rm_rm_ IPv6 Advocate, Veteran
    edited August 2015

    KuJoe said: Does anybody run their own DNS servers at home anymore?

    I run one used just by my local recursor (not public-facing), so that my own domain keeps resolving at home in case [both] Internet links go down. And yes I do use public DNS for RFC1918 and IPv6 ULA extensively, nothing wrong with that.

  • The advantage of using a public DNS server instead of .local domains is that it also works e.g. through a VPN. You can just connect to your network from anywhere in the world, push the routes for the internal network and all DNS entries will work the same way they would if you were at home. To achieve this behaviour with .local domain names you'd also have to push a DNS server to the VPN clients.

  • gsrdgrdghd said: The advantage of using a public DNS server instead of .local domains is that it also works e.g. through a VPN.

    I use VPN and don't have a problem using host file for local lookup. In Tomato just tick "Intercept DNS port (UDP 53)". I use three letter names for all the computers here and also visitors' initials when I have stuff to show them.

  • It works BUT you're painting a picture of your INTERNAL network for anyone who has the time to query. So I would think its a security risk.

  • jeromeza said: So I would think its a security risk.

    Meh, most everyone starts numbering at 192.168.0.X or 10.0.0.X, doesn't take a lot of work for an attacker to try an attack with a few different values of X to try reach something. Of course, if you're really randomizing within 10/8 a bit of security is lost by publishing the address.

  • KuJoeKuJoe Member, Host Rep
    edited August 2015

    As somebody who has multiple subnets at home I wouldn't want a map of them anywhere public so I keep my DNS internal. :)

  • rm_rm_ IPv6 Advocate, Veteran
    edited August 2015

    jeromeza said: It works BUT you're painting a picture of your INTERNAL network for anyone who has the time to query.

    How exactly? Are you going to guess my hostnames by dictionary? I hope your dictionary includes Japanese words and Anime character names then? In any case this is going to take a lot longer than just going through all of the RFC1918 ranges (that's even assuming you somehow gained access to the local network in the first place...)

    KuJoe said: multiple subnets at home I wouldn't want a map of them anywhere public

    Okay at home I have one host with IP 192.168.0.214 and another with 192.168.9.117. What exactly does that give you?

    I could even let you know my IPv6 (but they're dynamic), still gives you nothing as no incoming connections from the outside are allowed by the firewall.

    With the way DNS works, no external client can just "list" all the records you have and get your "map", unless AXFR is allowed (which is disabled by default in nameservers and typically allowed to specific client IPs only). So the only way they could get that is via bruteforcing, and again, that isn't anywhere near effective or feasible.

    jeromeza said: So I would think its a security risk.

    Don't mistake your caveman-style "fearing of the unknown" with a genuine and well thought out mitigation of clearly formulated security risks.

    Thanked by 1impossiblystupid
  • Set up samba to broadcast NetBIOS names. Problem solved.

    *I'm assuming the family are using Windows

    Thanked by 1netomx
Sign In or Register to comment.