Open in app

Sign in

Write

Sign in

Using Custom Policy to block Private IPs in Public DNS : Why and How!

Arun Prakash
3 min readSep 20, 2024

--

When it comes to private IP addresses being exposed in public DNS records, it’s not necessarily an immediate security disaster depending on the way infra is built, but it’s certainly not a best practice. The core function of DNS (Domain Name System) is to translate domain names into IP addresses, but not all IP addresses are meant to be publicly accessible. This article explores the risks and potential pitfalls of exposing private IPs in public DNS and explains why this could be more dangerous than you might think.

What Are Private IP Addresses?

Private IP addresses are special IP ranges reserved by the Internet Assigned Numbers Authority (IANA) for use within private networks. These addresses are not routable over the public internet, meaning they are intended solely for internal communication within a network.

For IPv4, the private IP ranges are:

  • 10.0.0.0–10.255.255.255
  • 172.16.0.0–172.31.255.255
  • 192.168.0.0–192.168.255.255

These IPs are used by devices in local networks, such as homes or businesses, to communicate with one another, and are hidden from the broader internet.

The Problem: Private IPs in Public DNS

When private IP addresses (like 192.168.x.x or 10.x.x.x) inadvertently make their way into public DNS records, it opens the door to unintended risks. Although these addresses are not directly accessible over the internet, their presence in a public DNS can give attackers valuable insights into your internal network structure.

Here’s why this can be problematic:

  • Network Mapping
    An attacker who stumbles upon a private IP in a public DNS instantly gains a peek into your internal network. Private IPs can reveal network structures, such as subnet organization, which attackers can use to map out potential targets. It eliminates the need for active scanning, a process that would normally raise red flags in security systems.
  • Targeted Attacks
    Once an attacker knows the internal IP addresses, they can craft more precise attacks aimed at these systems. These attacks could exploit vulnerabilities such as weak access controls, misconfigured firewalls, or unpatched services within your private network. Additionally, since the attacker already has the IP information, they can bypass certain detection mechanisms, like intrusion detection systems (IDS), that would typically be triggered during network scans.

Preventing Private IPs in Public DNS

Preventing the exposure of private IP addresses in public DNS records is crucial. One of the most effective solutions is the use of Network Address Translation (NAT). NAT works by translating private IP addresses to public ones for outgoing traffic, effectively concealing the internal addresses from external parties. This ensures that private IPs never make their way into public DNS, minimizing the risk of exposure.

Additionally, platforms like Azure offer built-in policies to mitigate the accidental registration of private IPs in public DNS. Azure’s policy framework allows administrators to enforce rules, ensuring that only authorized users can create public DNS records. However, mistakes can still happen — users might inadvertently configure private IPs within public DNS entries.

Custom Policy: Enforcing Best Practices

A stronger approach to prevent the exposure of private IP addresses is to create custom policies that block the inclusion of private IP ranges in public DNS records. For example, in Azure, you can define a custom policy to automatically check and block any DNS record that contains a private IP address.

Here’s an example of what such a custom policy might look like:

{
  "properties": {
    "displayName": "Deny creation of private IP in public DNS zones",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies the creation of private IP addresses in public DNS zones.",
    "metadata": {
      "category": "Networking"
    },
    "parameters": {},
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/dnsZones/A"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Network/dnsZones/A/ARecords[*].ipv4Address",
                "like": "10.*"
              },
              {
                "field": "Microsoft.Network/dnsZones/A/ARecords[*].ipv4Address",
                "like": "192.168.*"
              },
              {
                "field": "Microsoft.Network/dnsZones/A/ARecords[*].ipv4Address",
                "like": "172.16.*"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "Deny"
      }
    }
  }
}

This policy ensures that any attempt to register a DNS record with a private IP will be automatically blocked, preventing misconfigurations from becoming a potential security risk.

Conclusion

While exposing private IP addresses in public DNS may not create an immediate breach, it poses a potential risk by giving attackers critical insights into your internal network. By implementing strong policies, utilizing NAT, and ensuring careful configuration, organizations can prevent the unintended exposure of private IPs and safeguard their networks from targeted attacks

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Cloud
Cloud Security
Cloud Computing
Azure
Azure Policies

--

--

Arun Prakash
Arun Prakash

Written by Arun Prakash

70 Followers
45 Following

I write about Cloud, DevOps and SRE Stuffs! Passionate about Security !

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams