thanks to good folks at ATMAN and EPIX I was able to add additional AS 112 anycasted resolvers in Poland. this is described in more detail here.

however, you may have received an email from us - let’s explain why.

why I’m getting emails from you?

we are reaching out to you via this email because we have noticed DNS traffic leakage from one of your networks. this traffic leakage is related to reverse-name mapping for IP address space from the RFC1918 range hitting one of anycasted AS112 prefixes.

in simpler terms, it means that some machines in your network or your DNS server acting as a local resolver are not properly configured, resulting in queries being leaked to the internet. these queries cannot be effectively answered in any meaningful way. for instance, if you are using the 192.168/16 prefix in your local network, your hosts may send DNS queries like this:

“What is name of the host at 192.168.0.5?”

as you can imagine, answering such a question in any remote internet location doesn’t make sense because many customers (like you) use the same RFC1918 address space for their networks. that’s is its intended purpose. these networks typically employ network address translation (NAT) for IP traffic. however, DNS, by default, does not perform NAT operations on the actual queries as it would be illogical.

therefore, you may be leaking private queries, which can potentially be a waste of resources, both for you and other internet-connected devices, and it may also create a security vulnerability.

depending on your DNS server/resolver, there are different ways to stop this leaking.

of course, it is not mandatory to address this issue, but it would be appreciated, in the spirit of the Postel Robustness Principle, to prioritize internet hygiene.

where I can find more information and fix my deployment?

if you’re operating your DNS server, or managing network, please take a look below for references to most popular DNS servers:

  • for BIND
  • for Unbound by default you should be safe. There are some tweaks that can be done using private-address and private-domain if you’re using Unbound to resolve your own local names. Some examples can be found for example here & here
  • for Microsoft Server
  • you can find more context on AS112 project here.
  • you can find more information about DNS reverse queries here.