Dan Lockwood wrote:
Everyone,
I have a customer that is multihomed, to a public ISP and to another large network that uses 10.0.0.0 address space. The private address space also has services available via public address space and consequently is running a split DNS service, public and private. Because of firewalls and the placement of DNS servers this customer has a nasty routing situation and in order to make DNS work for the private numbers, has spoofed the domain of the private network. My question is this: are there any documents or RFCs that outline what is an acceptable practice for running DNS and what is not? Their kluge of a network causes continuous problems for both the upstream ISP and the private network to which they are connecting and we may find ourselves in a situation where we have to say that 'xyz' is an acceptable way of operating and 'abc' is not. Any advice is appreciated. Thanks!
As you have probably realized, shooting yourself in the foot does hurt. Unfortunately not all textbooks warn about it but recommend doing large implementations of 1918 space. I would change the services to be dual-addressed, with both public and private addresses, it should fix most issues that bother users with real addresses. The ones on 10/8 addresses are supposed to experience degraded accessibility, so it's a feature there. In any case, the policy is that you're not supposed to leak anything on the headers nor the payload that contains 1918 addresses. In practice it does not work that way. (unfortunately) Pete