Bogon DNS

I recently became aware of the "DNS Rebinding" attack based on a post by Craig Wright. It can be found here: Craig's blog
Security aside, it did pose a question: Why do modern DNS servers at the edge of an enterprise or ISP's recursive server allow the return of RFC1918 addresses at all?
Whilst it's not a complete solution to the issue, I do happen to be all over a certain DNS server. Observe, a DNS lookup you can perform yourself, which clearly shouldn't work:

[user@myself ~]# dig +short hax.lolware.net
192.168.0.5

Alas, it does :( However, let's run the same query through my server:
[user@myself ~]# dig +short hax.lolware.net @127.0.0.1
[user@myself ~]#

In short, the server returns a "how about no?". The first thing to know about loldns's implementation of bogon filtering is that it is disabled by default. This is to ensure any implementation is well thought out.

Automated Implementation

A bogons file based on Team Cymru's bogon list (as of 26/08/11) is included with the distribution. This should actually not need updating as all IP space slated for allocation has now been allocated. Copy this file, named "bogons" to the "root" directory, underneath your dnscache installation directory. You will need to restart dnscache for its presence to be noted.

Advanced Imeplementation

The "bogons" file simply follows this format, one per line:
ip/netmask
The storage array which holds these records is hard coded to store 16 bogons. If you require more, you can edit the MAXBOGONS=xx parameter in the Makefile as required. On startup, bogons read from this file are logged.
You can actually test your implementing by performing a lookup on the hax.lolware.net address.

More Information

The main DNS page, including downloads, is www.lolware.net