These people should run Split-horizon DNS;
Host | Wrong IP address | Reason |
---|---|---|
49-159-105-134.dynamic.elinx.com.tw | 0.0.0.0 | Unconfigured |
49-159-185-17.dynamic.elinx.com.tw | 0.0.0.0 | Unconfigured |
49-159-246-46.dynamic.elinx.com.tw | 0.0.0.0 | Unconfigured |
none.underplatform.com | 192.168.6.177 | RFC 1918 |
ns1.netplus.co.in | 64:ff9b::6729:17c2 | RFC 6052 |
ns2.netplus.co.in | 64:ff9b::6729:17c3 | RFC 6052 |
Last update: Tue 24 Dec 07:02:01 UTC 2024
You can block answers like these with Bind's 'deny-answer-addresses' feature;
deny-answer-addresses { // Unconfigured 0.0.0.0; // RFC 1918 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; // RFC 3927 169.254.0.0/16; // IPv6 // :: to ::ffff:ffff:ffff. // Includes ::, ::1, IPv4-Compatible IPv6 Addresses ::/96, // and IPv4-mapped IPv6 addresses ::ffff:0:0/96 ::/80; // RFC 6052 64:ff9b::/96; // Reserved for Documentation 2001:db8::/32; // IPv6 Unique Local fc00::/7; // IPv6 Link local fe80::/10; // IPv6 Site local fec0::/10; // Your IPv6 address range(s) Net/Mask } except-from { "Your.Domain"; }; deny-answer-aliases { "Your.Domain"; };
The produces log entries like;
Aug 21 19:31:01 sput named[1601]: answer address 10.0.0.100 denied for spacefon.com/A/IN
Not blocking these addresses can be a serious security risk.