A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

DNS and private rfc1918 addresses



 
 
Thread Tools Display Modes
  #1  
Old January 12th 15, 02:37 AM posted to uk.telecom.broadband
Chris Davies
external usenet poster
 
Posts: 444
Default DNS and private rfc1918 addresses

Can anyone cite me a reference that states definitively whether a DNS
proxy, such as one run by an ISP, is permitted to ignore valid lookups
that result in an address within RFC1918 space. Please?

For reasons related to Windows, VPN, and non-technical users, we provide
internally-valid 10.x.x.x addresses in response to lookups in the public
DNS for certain hosts in our domain. At least one UK ISP refuses to return
these A records, claiming that they are private address space (which they
are) and so can't be routed over the Internet. This is causing frustration
for our users who have this ISP at home and want to VPN to our office.

(I can give more details, but I'm concerned this post is already too
long.)

Much appreciated,
Chris
  #2  
Old January 12th 15, 01:56 PM posted to uk.telecom.broadband
Chris Davies
external usenet poster
 
Posts: 444
Default DNS and private rfc1918 addresses

Davern wrote:
Indirect references to such addresses should be contained within the
enterprise.


Bother!

But thank you.
Chris

  #3  
Old January 12th 15, 02:14 PM posted to uk.telecom.broadband
Chris Davies
external usenet poster
 
Posts: 444
Default DNS and private rfc1918 addresses

Graham J wrote:
I can think of three ways to work around it - but without understanding
your detailed requirements I'm not sure whether any would work.


1) Use a dial-in VPN facility, into something like a Vigor V2830 router.
The remote user has a dial-in VPN set up on his computer (you may need
to do this for him) and once he connects he has an IP address on your
office LAN, and his DNS server is your office DNS server (as specified
by the setings in your router), so all the lookups for internal
resources will work. Note that all his internet traffice will go
through your office LAN and WAN for the duration of the connection.


Yep. We do have VPN to a central point. The problem is that on Windows
(at least), web browsers cache name/address lookups rather than deferring
all name/address lookups to the PC's DNS subsystem. The scenario that
gets our users upset is this fairly typical one:

- User opens web browser and loads Intranet page
- Web browser uses DNS to look up name and gets "no such name",
because it's not in our external DNS
- User remembers to start VPN client and tries web browser again
- Web browser knows there's no such host name, so refuses to try again
- User gets frustrated

With the scenario that we can deliver the RFC1918 address for our Intranet
over the public DNS we get this instead:

- User opens web browser and loads Intranet page
- Web browser uses DNS to look up name and gets RFC1918 address. Web
browser attempts to load page but fails because there's
(correctly) no route to an RFC1918 address over the Internet
- User remembers to start VPN client and tries web browser again
- Web browser has a valid name/address lookup and so tries again. With
success this time
- User is happy

The killer is that web browsers do not honour DNS negative-cache TTL, so
we can't even drop that down to a low value such as 60 seconds. I can't
control the users' home PCs (and don't want to, even if I could), so any
per-user solution has to be something I can suggest rather than mandate.

It gets worse for corporate laptops, etc., where it's quite likely that
the browser's home page will be our Intranet.


2) Use a LAN-to-LAN VPN, nailed up [...] ALL his internet traffic will
go through your office LAN and WAN [...]


Not an option for home users, thanks.


3) Get several public IP addresses for those hosts you want to make
available to your remote users. Configure a suitable router/firewall to
allow traffic into those hosts from your remote clients (think Cisco).


We don't want to expose the Intranet to the world at large, and given that
as part of our "business" we allow people to sponsor children in certain
poorer countries the implications of the Intranet content leaking are
pretty painful. The majority of our home users are on DHCP so it's not
possible to identify them by address. We could demand username/password
lookups to access the Intranet (and associated resources) but that feels
to me like we're broadening the potential attack surface area.

Chris
  #4  
Old January 12th 15, 09:19 PM posted to uk.telecom.broadband
Chris Davies
external usenet poster
 
Posts: 444
Default DNS and private rfc1918 addresses

Sounds like Plusnet then.

Plusnet Support Team wrote:
I suspect it is.


Yep. It is PlusNet. I've had a ticket open on this but I'm not
convinced that anyone in infrastructure read what I was trying to
do, before returning it to 1st Line with a "we won't route private
addresses". However, I was originally trying to keep PlusNet's name out
of the discussion, since I don't see the value in whinging publicly when
I've already had the conversation as a customer.

On the other hand, asking people for solutions seemed to me to be
fair game...


I'm no expert on VPN configs, but I'm fairly certain there's a more
graceful way to do this that doesn't involve using public DNS resolvers
to return addresses for private/local host names.


Windows based VPNs are generally happy to route queries to different
resolvers depending on the domain. Linux-based ones have to be kicked
to do this (usually by using something like dnsmasq on the client and
pointing resolv.conf to 127.0.0.1).

It doesn't help my problem as described in my (other) follow-up post,
though :-(

Chris
  #5  
Old January 13th 15, 12:22 AM posted to uk.telecom.broadband
DaverN
external usenet poster
 
Posts: 15
Default DNS and private rfc1918 addresses

On 12/01/2015 02:37, Chris Davies wrote:
Can anyone cite me a reference that states definitively whether a DNS
proxy, such as one run by an ISP, is permitted to ignore valid lookups
that result in an address within RFC1918 space. Please?


The last 2 paragraphs of Section 3, RFC1918, appear to answer your
question directly:-

"Because private addresses have no global meaning, routing information
about private networks shall not be propagated on inter-enterprise
links, and packets with private source or destination addresses
should not be forwarded across such links. Routers in networks not
using private address space, especially those of Internet service
providers, are expected to be configured to reject (filter out)
routing information about private networks. If such a router receives
such information the rejection shall not be treated as a routing
protocol error.

Indirect references to such addresses should be contained within the
enterprise. Prominent examples of such references are DNS Resource
Records and other information referring to internal private
addresses. In particular, Internet service providers should take
measures to prevent such leakage."

Whilst the precise meaning of the words 'routing information' might be
open to some interpretation, the following paragraph seems to be
unambiguous notwithstanding the use of the word 'should'.

--
Davern

  #6  
Old January 13th 15, 02:58 AM posted to uk.telecom.broadband
Chris Davies
external usenet poster
 
Posts: 444
Default DNS and private rfc1918 addresses

Graham J wrote:
- User opens web browser and loads Intranet page

Do you mean - tries to load Intranet page?


Yep.


- Web browser uses DNS to look up name and gets "no such name",

because it's not in our external DNS


Yep.


I think the key point here is that your intranet refers to itself by
name, thereby forcing a name lookup. If it specified itself by IP
address then the browser would attempt a direct connection


Users can remember something like intranet.example.org. They're less
likely to remember something like 10.11.12.13. But it's an interesting
option to consider.


Have a script to bring up the VPN - in this have a line to flush the DNS
cache once the VPN is up.


It's not the DNS cache that's the problem; it's the browser's
reimplementation of the DNS cache that is that problem. This isn't
accessible with ipconfig /flushdns.


Does restarting the browser flush its own cache (I think it does). So
train the users to close and reopen the browser ...


Don't know. Should know. I'll go find out.


You could suggest that if users cannot remember to bring up the VPN
first (or at least not complain if they forget) then they are not
competent to use the service you provide, so you insist that you put
in place a management mechanism with which to support them.


At the user's home it's not my PC. I really don't want to have to support
other people's systems more than I have to.

Thanks for the thoughts.
Chris
  #7  
Old January 13th 15, 08:32 AM posted to uk.telecom.broadband
Graham J[_2_]
external usenet poster
 
Posts: 723
Default DNS and private rfc1918 addresses

Chris Davies wrote:
Can anyone cite me a reference that states definitively whether a DNS
proxy, such as one run by an ISP, is permitted to ignore valid lookups
that result in an address within RFC1918 space. Please?

For reasons related to Windows, VPN, and non-technical users, we provide
internally-valid 10.x.x.x addresses in response to lookups in the public
DNS for certain hosts in our domain. At least one UK ISP refuses to return
these A records, claiming that they are private address space (which they
are) and so can't be routed over the Internet. This is causing frustration
for our users who have this ISP at home and want to VPN to our office.

(I can give more details, but I'm concerned this post is already too
long.)

Much appreciated,
Chris


I think this is a perfectly reasonable limitation by those ISPs.

I can think of three ways to work around it - but without understanding
your detailed requirements I'm not sure whether any would work.

1) Use a dial-in VPN facility, into something like a Vigor V2830 router.
The remote user has a dial-in VPN set up on his computer (you may need
to do this for him) and once he connects he has an IP address on your
office LAN, and his DNS server is your office DNS server (as specified
by the setings in your router), so all the lookups for internal
resources will work. Note that all his internet traffice will go
through your office LAN and WAN for the duration of the connection.

2) Use a LAN-to-LAN VPN, nailed up. This (almost certainly) means your
remote user must have a static public IP address - with consequent
benefits for your ability to help hom remotely. Also probably means he
has to use a better class of ISP so will get improved reliability.
Configure his router to point to your office DNS server. You provide
hime with a router, pre-configured. The disadvantage of this is that
ALL his internet traffic will go through your office LAN and WAN, so it
will be measureably slower (limited by the UPload speed of your office WAN.

I do this for a business with a remote office. It works adequately.

3) Get several public IP addresses for those hosts you want to make
available to your remote users. Configure a suitable router/firewall to
allow traffic into those hosts from your remote clients (think Cisco).
Then these hosts can have legitimate DNS lookups from anywhere.

Does any of this help?

--
Graham J

  #8  
Old January 13th 15, 11:19 AM posted to uk.telecom.broadband
Gordon Henderson
external usenet poster
 
Posts: 797
Default DNS and private rfc1918 addresses

In article ,
Chris Davies wrote:
Can anyone cite me a reference that states definitively whether a DNS
proxy, such as one run by an ISP, is permitted to ignore valid lookups
that result in an address within RFC1918 space. Please?

For reasons related to Windows, VPN, and non-technical users, we provide
internally-valid 10.x.x.x addresses in response to lookups in the public
DNS for certain hosts in our domain. At least one UK ISP refuses to return
these A records, claiming that they are private address space (which they
are) and so can't be routed over the Internet. This is causing frustration
for our users who have this ISP at home and want to VPN to our office.

(I can give more details, but I'm concerned this post is already too
long.)


Sounds like Plusnet then.

I've a client setup like this because it saves having the remote users
change their DNS to use the internal DNS servers when they connect up
the VPN, so the few hosts they need access to are simply placed on the
public DNS for the company.

Works well - apart from one poor sod who uses Plusnet. I got him
to change his DNS servers to googles and it now works fine for him.

(We're using OpenVpn and Linux to Linux FWIW)

Gordon
  #9  
Old January 13th 15, 11:29 AM posted to uk.telecom.broadband
PlusNet Support Team
external usenet poster
 
Posts: 995
Default DNS and private rfc1918 addresses

On 13/01/2015 11:19, Gordon Henderson wrote:
In article ,
Chris Davies wrote:
Can anyone cite me a reference that states definitively whether a DNS
proxy, such as one run by an ISP, is permitted to ignore valid lookups
that result in an address within RFC1918 space. Please?

For reasons related to Windows, VPN, and non-technical users, we provide
internally-valid 10.x.x.x addresses in response to lookups in the public
DNS for certain hosts in our domain. At least one UK ISP refuses to return
these A records, claiming that they are private address space (which they
are) and so can't be routed over the Internet. This is causing frustration
for our users who have this ISP at home and want to VPN to our office.

(I can give more details, but I'm concerned this post is already too
long.)


Sounds like Plusnet then.


I suspect it is. It's probably a nuance of the software we're using
(PowerDNS I think).

I've a client setup like this because it saves having the remote users
change their DNS to use the internal DNS servers when they connect up
the VPN, so the few hosts they need access to are simply placed on the
public DNS for the company.


This seems a really shoddy way to do things IMO. I'm no expert on VPN
configs, but I'm fairly certain there's a more graceful way to do this
that doesn't involve using public DNS resolvers to return addresses for
private/local host names.

Works well - apart from one poor sod who uses Plusnet. I got him
to change his DNS servers to googles and it now works fine for him.

(We're using OpenVpn and Linux to Linux FWIW)


Can't the VPN be configured to assign different DNS addresses on connection?

--
|Bob Pullen Broadband Solutions for
|Support Home & Business @
|Plusnet Plc. www.plus.net
+--------------- twitter.com/plusnet ----------------
  #10  
Old January 13th 15, 12:52 PM posted to uk.telecom.broadband
DaverN
external usenet poster
 
Posts: 15
Default DNS and private rfc1918 addresses

On 13/01/2015 11:29, Plusnet Support Team wrote:
[...]
Can't the VPN be configured to assign different DNS addresses on
connection?


An OpenVPN server can, e.g.

....
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
....

I can't confirm that it still works using a private IP address range but
I can't see any reason that it wouldn't.

--
Davern

 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
private dsl Steve H uk.telecom.voip (UK VOIP) 8 October 14th 05 04:54 PM
Private DSL Steve H uk.telecom.broadband (UK broadband) 8 October 13th 05 09:39 PM
XP - Private Folder Geoff Lane uk.comp.home-networking (UK home networking) 2 September 15th 05 09:13 PM
Private network across internet? Neil uk.comp.home-networking (UK home networking) 5 September 18th 04 10:20 AM
Static Ip's and BT - I have just recieved A BT router with 5 static IP Addresses. However, I want 5 computers in the office to use only one of the addresses. ery Difficult Question Nattasian uk.telecom.broadband (UK broadband) 3 July 13th 04 09:55 AM


All times are GMT +1. The time now is 01:16 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.