[Collisions] "controlled interruption" - 127/8 versus RFC1918 space
chris at donuts.co
Thu Jan 9 16:38:40 UTC 2014
Interesting idea to return both values. Makes it significantly more
obvious to hopefully prompt a web search to see what's going on.
On Thu, Jan 9, 2014 at 8:22 AM, Rubens Kuhl <rubensk at nic.br> wrote:
> Em 09/01/2014, à(s) 14:18:000, Jeff Schmidt <jschmidt at jasadvisors.com>
> re: "controlled interruption" (see
> It has been suggested instead of using 127.0.53.53, use something within
> RFC1918 space (for example, 10.53.53.53). The thinking being that using
> 1918 space allows someone who wants to monitor which boxes are resolving
> those DNS names (and getting the flag IPs) to do so more easily by
> honeypotting these responses, logging at a firewall, etc. Such tricks are
> harder in 127/8 space. Looking for errors generated by the 127/8 addresses
> would involve searching individual application layer logs for connection
> errors to those addresses.
> Two phases could be used – a period that returns 127.0.53.53 and a second
> that returns 10.53.53.53.
> While I see the value, I'm also a bit leery about injecting unexpected
> responses into 1918 space that could possibly be in use within the
> enterprise. That may cause unintended consequences itself.
> Thoughts? Value trade between possibly more effective notification vs.
> "protecting the sanctity" of RFC1918 space?
> We could also return both values either all times or on the second period
> in a round-robin fashion.
> Collisions mailing list
> Collisions at lists.dns-oarc.net
Chris Cowherd, CTO Donuts Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Collisions