Local DNS Propagation Question

Greetings,

While this question may sound silly I am unable to contact my usual
resource to ask so I have come here in hopes of an answer.

I have a small home network sitting behind a Linksys Router. I have
successfully set up Apache and Local DNS for my network on an Ubuntu
machine. I have confirmed it to work correctly by setting it's address
for the primary DNS on another machine on the network. It resolves the
host name I created correctly and pulls the desired web pages from
Apache.

All that said, the domain name that I am using locally is one that
already belongs to an active site on the internet. My local machines
do not resolve to that site though they resolve to my local one (which
is ok with me). My question however is will my DNS entries stay local?
eg I do not want it to propagate my address (my internet address that
is) across the internet as being the destination for that site.

Don't want to get in trouble for stealing someones domain name when
that is not my intent...

Any insight would be greatly appreciated.

PS I am using "dnsmsq" on the Linux box.

Thanks!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

,--- apollonius2 writes:

| All that said, the domain name that I am using locally is one that
| already belongs to an active site on the internet. My local machines
| do not resolve to that site though they resolve to my local one (which
| is ok with me). My question however is will my DNS entries stay local?
| eg I do not want it to propagate my address (my internet address that
| is) across the internet as being the destination for that site.

Yes, your DNS entries will stay local available in your
network. Unless someone from outside your network is your DNS
server .

HTH
- --
Ashish Shukla आशीष श�क�ल http://wahjava.wordpress.com/
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHLNilHy+EEHYuXnQRAs15AKCNhl8cypaIzmQ2xLJqgO XVjVCnTgCg3SJ2
FBWvbem3laWapLx2H5TweX0=
=mSG2
-----END PGP SIGNATURE-----

(E-Mail Removed) wrote:

> All that said, the domain name that I am using locally is one that
> already belongs to an active site on the internet. My local machines
> do not resolve to that site though they resolve to my local one (which
> is ok with me). My question however is will my DNS entries stay local?

Yes.

> Don't want to get in trouble for stealing someones domain name when
> that is not my intent...

That's not nearly as simple as you now make it out to be.

Got it!

So as long as I don't put my DNS machine in the DMZ or outside my
network I'm free to do as I wish with any internal domains.

Thank you!

On Nov 3, 2:07 pm, Jeroen Geilman <n...@home.no> wrote:
> >apolloni...@gmail.com wrote:
> >
> > Don't want to get in trouble for stealing someones domain name when
> > that is not my intent...
>
> That's not nearly as simple as you now make it out to be.

You mean hijacking a legitimate domain name? Yea, I figured it would
take intent (and probably a fair amount of work) to do that. I don't
want to do that anyway. Sometimes you never know though technology is
getting rather plug-and-pray now days.

I don't fully understand how the "Global" domain system
works...perhaps another subject for me to add to the list of future
reading.

Thanks for the reply.

(E-Mail Removed) wrote:
> On Nov 3, 2:07 pm, Jeroen Geilman <n...@home.no> wrote:
>>> apolloni...@gmail.com wrote:
>>>
>>> Don't want to get in trouble for stealing someones domain name when
>>> that is not my intent...
>> That's not nearly as simple as you now make it out to be.
>
> You mean hijacking a legitimate domain name? Yea, I figured it would
> take intent (and probably a fair amount of work) to do that. I don't
> want to do that anyway. Sometimes you never know though technology is
> getting rather plug-and-pray now days.

*Consumer* technology, maybe...
Trust me, configuring a grownup router or firewall takes skill and
experience.. and heaps of (sometimes arcane) knowledge.

> I don't fully understand how the "Global" domain system
> works...perhaps another subject for me to add to the list of future
> reading.

I found the O'Reilly book on BIND and DNS quite good - it explains the
theory behind it very thoroughly.
For free, try wikipedia (as odd as that may sound, they have very
complete info for any computer- or network-related technology or
standard) or the official BIND site (www.isc.org)

>
> Thanks for the reply.
>

No problem.

J.

On Sat, 03 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed). com>,
(E-Mail Removed) wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>Jeroen Geilman <n...@home.no> wrote:

>> apolloni...@gmail.com wrote:

>>> Don't want to get in trouble for stealing someones domain name when
>>> that is not my intent...
>>
>> That's not nearly as simple as you now make it out to be.
>
>You mean hijacking a legitimate domain name? Yea, I figured it would
>take intent (and probably a fair amount of work) to do that. I don't
>want to do that anyway. Sometimes you never know though technology is
>getting rather plug-and-pray now days.

No comment

>I don't fully understand how the "Global" domain systemworks...
>perhaps another subject for me to add to the list of future reading.

There is the DNS-HOWTO which explains things. VERY BRIEFLY, you ask a
name server. If it doesn't know the answer, it asks one of the 'root'
servers ("what is the address of foo.bar.baz.example.com?"), who refers
it to a top-level domain server ("ask <mumble> who knows about .com").
The top-level domain server will refer it to a 'second level' domain
server ("ask <mumble.mumble> who knows about example.com"). This is
repeated as needed until your name server finds the server who knows
that "foo.bar.baz.example.com is 192.0.2.145".

If you have a bogus domain on your name server, it becomes a problem
for others IF they somehow get referred to your server to ask about
that domain. Not very likely. However, those who are using your
name server to ask DNS questions (which generally means those systems
on your LAN) get the "wrong" answer, and will not be able to reach the
"real" host (whether or not that is their intent).

Old guy

On Nov 4, 11:04 pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:
> On Sat, 03 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
> article <1194133278.020926.255...@q3g2000prf.googlegroups. com>,
>
> apolloni...@gmail.com wrote:
>
> NOTE: Posting from groups.google.com (or some web-forums) dramatically
> reduces the chance of your post being seen. Find a real news server.
>
> >Jeroen Geilman <n...@home.no> wrote:
> >> apolloni...@gmail.com wrote:
> >>> Don't want to get in trouble for stealing someones domain name when
> >>> that is not my intent...
>
> >> That's not nearly as simple as you now make it out to be.
>
> >You mean hijacking a legitimate domain name? Yea, I figured it would
> >take intent (and probably a fair amount of work) to do that. I don't
> >want to do that anyway. Sometimes you never know though technology is
> >getting rather plug-and-pray now days.
>
> No comment
>
> >I don't fully understand how the "Global" domain systemworks...
> >perhaps another subject for me to add to the list of future reading.
>
> There is the DNS-HOWTO which explains things. VERY BRIEFLY, you ask a
> name server. If it doesn't know the answer, it asks one of the 'root'
> servers ("what is the address of foo.bar.baz.example.com?"), who refers
> it to a top-level domain server ("ask <mumble> who knows about .com").
> The top-level domain server will refer it to a 'second level' domain
> server ("ask <mumble.mumble> who knows about example.com"). This is
> repeated as needed until your name server finds the server who knows
> that "foo.bar.baz.example.com is 192.0.2.145".
>
> If you have a bogus domain on your name server, it becomes a problem
> for others IF they somehow get referred to your server to ask about
> that domain. Not very likely. However, those who are using your
> name server to ask DNS questions (which generally means those systems
> on your LAN) get the "wrong" answer, and will not be able to reach the
> "real" host (whether or not that is their intent).
>
> Old guy

Block Incoming UDP 53 so that it rejects DNS queries from the
internet, you don't want people to resolve your domain name and
neither do you want them to know whats inside your network you would
be telling the hacker where your weakest point on the network is and
to do the DoS attack to it...And if you want to be extra safe you can
block outgoing TCP 53 so that nobody on the internet can get a DNS
zone transfer of your network...If by mistake some one gets routed to
your domain name instead of the registered one on the internet you
would be in serious #### thats considered a DNS poisoning...

On Mon, 05 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed). com>,
(E-Mail Removed) wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>Block Incoming UDP 53 so that it rejects DNS queries from the
>internet, you don't want people to resolve your domain name and
>neither do you want them to know whats inside your network you would
>be telling the hacker where your weakest point on the network is and
>to do the DoS attack to it...

Many companies have "internal" and "external" name servers. External
servers will handle external queries for hostnames that you desire to
resolve - www.example.com, ftp.example.com, dns.example.com, and
mx.example.com being possible candidates. The external nameservers
also resolves external queries for your section of "in-addr.arpa."
(assuming such a zone has been delegated to you - see RFC1591 and 2317)
but MAY provide generic answers (192.0.2.11 may resolve to
192.0.2.11.example.com [_whether or not it may actually exists_]
RATHER THAN some potentially sensitive name). The external servers may
intentionally not respond to queries originating internally. The
"internal" servers resolve internal and external names and addresses
for internal clients only.

>And if you want to be extra safe you can block outgoing TCP 53 so that
>nobody on the internet can get a DNS zone transfer of your network...

If you haven't configured your name servers to ignore such queries, you
probably shouldn't be administering the server. That has been a strongly
recommended configuration option for over ten years. And you may want
to look at RFC1034 and RFC1035 regarding the use of TCP in DNS.

>If by mistake some one gets routed to your domain name instead of the
>registered one on the internet you would be in serious #### thats
>considered a DNS poisoning...

Note that laws are not the same in all countries, and there are no
Internet Police who will come down and beat the sh!t out of the bad
guys or idiots - despite many wishes to the contrary.

Old guy