How not to do DNS for internal domains

November 16, 2005

Here's a brief recipe for how not to do DNS for your internal domains, as illustrated by eBay:

  1. Allow your internal subdomains leak into your externally visible nameservers, so that when outside people query for '' they get back NS records instead of 'no such domain'.
  2. Use RFC 1918 private IP addresses in 10.*.*.* for your internal network, including the DNS servers for your internal subdomains. Such as
  3. Every so often, send out email with the envelope origin address of ''.
  4. Watch the comedy that ensues as people's mailers try to verify the MAIL FROM by querying the nameservers for to see if has an MX or an A record. You know, the internal nameservers with unreachable private 10.*.*.* IP addresses.

For extra comedy, consider what happens if eBay is trying to send email to an organization that is also using 10.*.*.* IP address space internally.

Since failure to reach nameservers usually causes a temporary failure during SMTP instead of a hard failure, this is really the gift that keeps on giving. (Which means that eBay pays a price for this too, since they get to sit on all of the stalled mail until it times out in four days or so.)

(This happened some time ago, so I don't know if eBay is still sending out email with those internal addresses. The domains are certainly still leaking out, nameservers in 10.*.*.* and all.)

Written on 16 November 2005.
« The scope of the peril of having a highly dynamic web site
Why Linux threads use up so much memory »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Nov 16 01:02:53 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.