cancel
Showing results for 
Search instead for 
Did you mean: 

DNS blocked for private addresses?

RoBorg
Newbie
Posts: 5
Registered: 01-08-2015

DNS blocked for private addresses?

Bit of a strange problem - I can't get a DNS lookup on any domains that resolve to 192.168.x.x
If you want to try and reproduce, try
ping pony.justsayplease.co.uk

It works fine if I change my DNS servers to Google's in my PC network settings, but I can't seem to do that for my phone on WiFi - the DHCP server always sets its own IP as the primary DNS, then Google's as the secondary.
Tech support didn't know anything about it being blocked, nor could help work around it.
So

  • Can anyone from Plusnet confirm that 192.168 addresses are blocked from resolving

  • How can I make my router (Technicolor TG582n FTTC on the latest firmware, 10.2.5.2) send 8.8.8.8 as the primary DNS? There are a few instructions floating around, but my router seems slightly different - there's no "dns server route list" command for a start...

17 REPLIES
Community Veteran
Posts: 2,274
Thanks: 109
Fixes: 4
Registered: 18-02-2013

Re: DNS blocked for private addresses?

[tt]
dig pony.justsayplease.co.uk
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> pony.justsayplease.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11110
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;pony.justsayplease.co.uk. IN A
;; ANSWER SECTION:
pony.justsayplease.co.uk. 300 IN A 192.168.10.66
;; AUTHORITY SECTION:
justsayplease.co.uk. 85918 IN NS dns1.stabletransit.com.
justsayplease.co.uk. 85918 IN NS dns2.stabletransit.com.
;; ADDITIONAL SECTION:
dns1.stabletransit.com. 52826 IN A 69.20.95.4
dns2.stabletransit.com. 54487 IN A 65.61.188.4
;; Query time: 23 msec
;; SERVER: 192.168.0.12#53(192.168.0.12)
;; WHEN: Sun Aug  2 20:37:25 2015
;; MSG SIZE  rcvd: 145

dig @8.8.8.8 pony.justsayplease.co.uk
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @8.8.8.8 pony.justsayplease.co.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52568
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;pony.justsayplease.co.uk. IN A
;; ANSWER SECTION:
pony.justsayplease.co.uk. 299 IN A 192.168.10.66
;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8 )
;; WHEN: Sun Aug  2 20:36:47 2015
;; MSG SIZE  rcvd: 58

dig @212.159.6.9 pony.justsayplease.co.uk
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @212.159.6.9 pony.justsayplease.co.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 980
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;pony.justsayplease.co.uk. IN A
;; AUTHORITY SECTION:
justsayplease.co.uk. 86161 IN NS dns1.stabletransit.com.
justsayplease.co.uk. 86161 IN NS dns2.stabletransit.com.
;; Query time: 21 msec
;; SERVER: 212.159.6.9#53(212.159.6.9)
;; WHEN: Sun Aug  2 20:36:28 2015
;; MSG SIZE  rcvd: 97
[/tt]
sjptd
Grafter
Posts: 467
Registered: 01-09-2014

Re: DNS blocked for private addresses?

192.168.x.x are reserved as local internet addresses.  No external DNS server should normally return a value in that range, but I can see that several do for "pony.justsayplease.co.uk".   That must be a most peculiar address that has somehow slipped itself into nameservers.
You will see that even though "ping pony.justsayplease.co.uk" might resolve, you almost certainly won't get any response.  (and won't for "ping 192.168.10.66" either).
Community Veteran
Posts: 26,627
Thanks: 860
Fixes: 10
Registered: 10-04-2007

Re: DNS blocked for private addresses?

It's not so much a strange problem as a strange question!
192.16.x.x is a local subnet and should not be routable to anywhere on the internet. When you tried the ping it probably succeeded with the lookup but failed to route the ping to the looked up address.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
Community Veteran
Posts: 5,057
Thanks: 424
Fixes: 16
Registered: 10-06-2010

Re: DNS blocked for private addresses?

Unless 192.168.10.66 is in RoBorg's own LAN of course.
For changing the DNS settings: method 2 from http://npr.me.uk/changedns.html or the newer commands for the version 10 technicolor firmware: http://npr.me.uk/telnet.html#dnsr10
RoBorg
Newbie
Posts: 5
Registered: 01-08-2015

Re: DNS blocked for private addresses?

Thanks for your responses - just to clarify:

  • Yes this is a little strange, but domain names don't have to resolve to public IPs

  • 192.168.10.66 is a machine on my internal network - I can access it fine either by IP or using Google DNS

  • I got a fellow Plusnet user to try from his home, and he had the same problem as me, so it's not my computers / network settings


@11110_110 interesting you were able to get a response - can you tell me which DNS server that was from?
Andrue
Aspiring Pro
Posts: 775
Thanks: 89
Fixes: 1
Registered: 12-01-2015

Re: DNS blocked for private addresses?

Sounds like 'working as designed' to me. DNS servers are supposed to authoritatively return addresses for names. A public DNS server cannot know what is located at any address in the private ranges so it shouldn't return such an address.
RoBorg
Newbie
Posts: 5
Registered: 01-08-2015

Re: DNS blocked for private addresses?

Quote from: ejs
Unless 192.168.10.66 is in RoBorg's own LAN of course.
For changing the DNS settings: method 2 from http://npr.me.uk/changedns.html or the newer commands for the version 10 technicolor firmware: http://npr.me.uk/telnet.html#dnsr10

Thanks  Smiley
Those newer commands were what I needed for my router, but it's still insisting on setting the DHCP IP as the primary DNS Sad
RoBorg
Newbie
Posts: 5
Registered: 01-08-2015

Re: DNS blocked for private addresses?

Quote from: Andrue
Sounds like 'working as designed' to me. DNS servers are supposed to authoritatively return addresses for names. A public DNS server cannot know what is located at any address in the private ranges so it shouldn't return such an address.

Absolutely not - the DNS system is supposed to take a name and turn it into an IP address. As long as it's a valid IP, it doesn't know or care what's on that IP, or if that IP is routable to the current device.
Adding your internal IPs into DNS is a very common thing to do.
Community Veteran
Posts: 26,627
Thanks: 860
Fixes: 10
Registered: 10-04-2007

Re: DNS blocked for private addresses?

I've some internal names/IP addresses that I've added to my PC, not by messing with DNS but by adding them to my hosts file (C:\Windows\System32\drivers\etc\hosts) - do the other devices have a similar option?
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
RoBorg
Newbie
Posts: 5
Registered: 01-08-2015

Re: DNS blocked for private addresses?

Quote from: jelv
I've some internal names/IP addresses that I've added to my PC, not by messing with DNS but by adding them to my hosts file (C:\Windows\System32\drivers\etc\hosts)

Yeah that's what I did originally, but I can't do it on my phone :/
Community Veteran
Posts: 2,274
Thanks: 109
Fixes: 4
Registered: 18-02-2013

Re: DNS blocked for private addresses?

Quote from: RoBorg
@11110_110 interesting you were able to get a response - can you tell me which DNS server that was from?

Yes as follows...
212.118.241.1
212.118.241.33
Andrue
Aspiring Pro
Posts: 775
Thanks: 89
Fixes: 1
Registered: 12-01-2015

Re: DNS blocked for private addresses?

Quote from: RoBorg
Absolutely not - the DNS system is supposed to take a name and turn it into an IP address. As long as it's a valid IP, it doesn't know or care what's on that IP, or if that IP is routable to the current device.
Adding your internal IPs into DNS is a very common thing to do.
I think you're confused or are trying to muddy the waters.
A DNS server can always be authoritative within its own network so adding private IP addresses to a private DNS server is of course common practice on anything except the smallest of LANs. However if you re-read the thread we are discussing DNS servers on the public network giving out addresses on private networks. A public DNS server cannot, by definition, give authoritative information about private address spaces. As you yourself have just stated 'As long as it's a valid IP..' and a public DNS server has no idea whether a private address is valid or not.
http://serverfault.com/questions/4458/private-ip-address-in-public-dns
Sounds like it's a dodgy thing to do but doesn't cover whether or not a public DNS server should support it.
sjptd
Grafter
Posts: 467
Registered: 01-09-2014

Re: DNS blocked for private addresses?

As several of us have said, it is certainly incorrect for any public nameserver to return 192.168.10.66  to nslookup pony.justsayplease.co.uk <nameserver>  (eg  nslookup pony.justsayplease.co.uk 8.8.8.8)
It may be at that address on your LAN, but not for anyone else in the world.  An internal nameserver on your LAN (or a hosts file) could validly give that result, but not a public nameserver.
You must somehow have figured a way to get that name/address pair accepted by many nameservers (including 8.8.8.8, 4.2.2.5, 212.118.241.1), all of which which ought to have rejected it.  It looks as if Plusnet's nameserver is one of the few that quite correctly has.
(Maybe you didn't figure it out, but you must have somehow cuased it to happen.)
Community Veteran
Posts: 1,840
Thanks: 101
Fixes: 6
Registered: 21-01-2013

Re: DNS blocked for private addresses?

The domains authoritative name server resolves this host to a private IP address 192.168.10.66
Quote
; <<>> DiG 9.8.6-P1 <<>> pony.justsayplease.co.uk @dns1.stabletransit.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27936
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;pony.justsayplease.co.uk.      IN      A
;; ANSWER SECTION:
pony.justsayplease.co.uk. 300  IN      A      192.168.10.66
;; AUTHORITY SECTION:
justsayplease.co.uk.    86400  IN      NS      dns2.stabletransit.com.
justsayplease.co.uk.    86400  IN      NS      dns1.stabletransit.com.
;; Query time: 109 msec
;; SERVER: 69.20.95.4#53(69.20.95.4)
;; WHEN: Sun Aug 02 22:16:25 GMT Summer Time 2015
;; MSG SIZE  rcvd: 113

This suggests to me that "pony.justsayplease.co.uk" is intended to be accessed over a VPN.
It's disappointing that some public name server are resolving a private IP address -- I would have though this to be a security issue. Nice to see Plusnet's dns gets something right. Wink