These people should run Split-horizon DNS;
Host | Wrong IP address | Reason |
---|---|---|
49-158-122-143.dynamic.elinx.com.tw | 0.0.0.0 | Unconfigured |
49-158-164-12.dynamic.elinx.com.tw | 0.0.0.0 | Unconfigured |
dbserver21.x26.nl | 192.168.3.21 | RFC 1918 |
dbserver41.x26.nl | 192.168.3.41 | RFC 1918 |
fastly-tls12-bam.eu01.nr-data.net | ::ffff:185.221.87.23 | IPv4-mapped IPv6 addresses |
fastly-tls12-bam.nr-data.net | ::ffff:162.247.243.29 | IPv4-mapped IPv6 addresses |
none.underplatform.com | 192.168.6.177 | RFC 1918 |
ns1.netplus.co.in | 64:ff9b::6729:17c2 | RFC 6052 |
ns2.netplus.co.in | 64:ff9b::6729:17c3 | RFC 6052 |
supermicro1.x26.nl | 192.168.2.71 | RFC 1918 |
supermicro3.x26.nl | 192.168.2.73 | RFC 1918 |
Last update: Thu 7 Nov 07:02:01 UTC 2024
You can block answers like these with Bind's 'deny-answer-addresses' feature;
deny-answer-addresses { // Unconfigured 0.0.0.0; // RFC 1918 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; // RFC 3927 169.254.0.0/16; // IPv6 // :: to ::ffff:ffff:ffff. // Includes ::, ::1, IPv4-Compatible IPv6 Addresses ::/96, // and IPv4-mapped IPv6 addresses ::ffff:0:0/96 ::/80; // RFC 6052 64:ff9b::/96; // Reserved for Documentation 2001:db8::/32; // IPv6 Unique Local fc00::/7; // IPv6 Link local fe80::/10; // IPv6 Site local fec0::/10; // Your IPv6 address range(s) Net/Mask } except-from { "Your.Domain"; }; deny-answer-aliases { "Your.Domain"; };
The produces log entries like;
Aug 21 19:31:01 sput named[1601]: answer address 10.0.0.100 denied for spacefon.com/A/IN
Not blocking these addresses can be a serious security risk.