RFC 3330 defines some ranges which can not be found on the internet. for
example 192.0.2.0/24. As a result those ranges can be used behind NAT
like usual RFC 1918 IPs.
dnswall should make sure those ranges are not returned neither.
The trivial patch provided below add filtering for :
192.0.2.0/24 - This block is assigned as "TEST-NET" for use in
documentation and example code. It is often used in conjunction with
domain names example.com or example.net in vendor and protocol
documentation. Addresses within this block should not appear on the
public Internet.
You may consider filtering for this range as well :
198.18.0.0/15 - This block has been allocated for use in benchmark
tests of network interconnect devices. Its use is documented in
[RFC2544].
diff -ur dnswall.org/src/dnswall.c dnswall.documentation/src/dnswall.c
--- dnswall.org/src/dnswall.c 2007-11-14 19:59:52.000000000 +0000
+++ dnswall.documentation/src/dnswall.c 2010-01-01
15:25:31.000000000 +0000
@@ -94,6 +94,10 @@
(ptr[0] == 192 && ptr[1] == 168))
return 0;
+ // Documentation
+ if (ptr[0] == 192 && ptr[1] == 0 && ptr[2] == 2)
+ return 0;
+
// Multicast
// (we are unable to determine the groups internal machines
// belong to, so we have to block everything)
Original issue reported on code.google.com by thomas.mangin on 1 Jan 2010 at 3:40
Original issue reported on code.google.com by
thomas.manginon 1 Jan 2010 at 3:40