Wandering Thoughts archives

2005-11-16

How not to do DNS for internal domains

Here's a brief recipe for how not to do DNS for your internal domains, as illustrated by eBay:

  1. Allow your internal subdomains leak into your externally visible nameservers, so that when outside people query for 'sjc.ebay.com' they get back NS records instead of 'no such domain'.
  2. Use RFC 1918 private IP addresses in 10.*.*.* for your internal network, including the DNS servers for your internal subdomains. Such as sjc.ebay.com.
  3. Every so often, send out email with the envelope origin address of 'cmuser@hoho.sjc.ebay.com'.
  4. Watch the comedy that ensues as people's mailers try to verify the MAIL FROM by querying the nameservers for sjc.ebay.com to see if hojo.sjc.ebay.com has an MX or an A record. You know, the internal nameservers with unreachable private 10.*.*.* IP addresses.

For extra comedy, consider what happens if eBay is trying to send email to an organization that is also using 10.*.*.* IP address space internally.

Since failure to reach nameservers usually causes a temporary failure during SMTP instead of a hard failure, this is really the gift that keeps on giving. (Which means that eBay pays a price for this too, since they get to sit on all of the stalled mail until it times out in four days or so.)

(This happened some time ago, so I don't know if eBay is still sending out email with those internal addresses. The domains are certainly still leaking out, nameservers in 10.*.*.* and all.)

sysadmin/BadInternalDomainDNS written at 01:02:53; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.