2

Let's assume:

  • I own a domain example.com
  • I have a publicly available DNS server ns1.example.com
  • I want to host websites available on the internet e.g. app-prod.example.com
  • I want to host other websites available only in my local network e.g. app-stage.example.com

Can I put all DNS A records in the publicly available ns1.example.com server, e.g.

A app-prod.example.com  93.184.216.34
A app-stage.example.com 10.1.1.6

I know it works, but is it a good practice?

From what I see this saves some work, for example, I don't have to configure a local DNS server, I don't have to configure DHCP to point users to this server, etc.

Are there any downsides to this approach?

Improve this question
1
  • You can always host a local DNS server to put the local ipaddresses on or even use your hosts file.
    – LPChip
    Commented Apr 12, 2022 at 15:02

2 Answers 2

Reset to default
4

No, it's not best practice, but you can do it if not better solution is available to you. There are two things to consider:

  • Make sure public users don't pick up this DNS record as part of the normal public services of your hosted application.

  • Consider that you publicly "announce" IPs from your local network. Not a great security issue in my view but that depends on the attack vector - and I don't want to give security advice without knowing your network.

In general, I would recommend setting up a local DNS server (that would be best practice in your case). The configuration is not that difficult and once they are in your LAN (directly or via VPN) you can pass on the DNS server via DHCP etc. But you can still try out your idea with the public DNS server first, once problems occur you can switch to the local DNS.

Improve this answer
4
  • Ad 1. I won't have any links to these internal services available on the internet if that's what you mean. Ad 2. What would be the benefit of knowing the internal IP addresses from the point of the attacker? If they were to end up in my local network I would assume they could check the machine's interface config then scan the subnet essentially obtaining the same information.
    – Kuba Szymanowski
    Commented Apr 12, 2022 at 11:16
  • 1) it's just general advice to be cautious, having links online would be one example, there might be others as well 2) you are right, it's just one less piece of info they have to find out themselves (in general security shouldn't rely just on obscurity)
    – Albin
    Commented Apr 12, 2022 at 13:27
  • I totally agree with this post, so +1. As for point 2. If this kind of information is available, it can tell a hacker a great deal of things. Like you have a Class A network instead of B or C, what ip range you use, that you are a potential threat. As the police would say: if you tell a thief that you have something to steal, it may try to do so. You basically announce a setup that may have more to it and becomes interesting for hackers.
    – LPChip
    Commented Apr 12, 2022 at 15:00
  • In addition to the above, if this is a webserver and a hacker gains access to an exploit, they may be able to run some commands. By knowing a server's local ip address, they can potentially open up a security hole to give them full access rather than onyl run some scripts.
    – LPChip
    Commented Apr 12, 2022 at 15:02
1

Anything that works and is simple and secure is good practice.

One downside that I can see is that it forces you to give the local server a static IP address.

Another downside is that this pollutes the public .com DNS server with sites that are not accessible from the internet, that for the entire world are just junk. This is not considered to be good practice.

But if all this doesn't bother you, then go ahead and solve your problem in this way.

Improve this answer
6
  • I would have a static IP address for the local server anyway to avoid issues with changing IP address when the DHCP lease expires so this doesn't bother me. I wouldn't have any links to these internal websites on the Internet so I would assume the public DNS pollution shouldn't be much of an issue.
    – Kuba Szymanowski
    Commented Apr 12, 2022 at 11:12
  • Another concern is that hackers can gain access to this info from the outside, which could lead to getting enough information to get an attack going.
    – LPChip
    Commented Apr 12, 2022 at 14:57
  • @LPChip: I don't count this as a serious threat, since an attack on this address can only come from within the local network, meaning that an internal computer or router is infected. The infected device will surely attack every other device on the network, including the server.
    – harrymc
    Commented Apr 12, 2022 at 15:03
  • @KubaSzymanowski: I also don't think that one dummy entry among millions or hundreds of millions will much bother the central DNS server.
    – harrymc
    Commented Apr 12, 2022 at 15:04
  • 1
    @LPChip: An attacker may be able to infect a badly-configured webserver, but an address such as 10.1.1.6 cannot be reached from the internet, so is unattackable from the outside.
    – harrymc
    Commented Apr 12, 2022 at 16:45

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .