If you are using 126.96.36.199 anywhere in your firewall configuration, you'll want to read this
3 weeks ago
- last edited
3 weeks ago
Many of us, myself included, have been tempted to be lazy when picking an 'example' IP when creating documentation or needing to use a dummy IP in a configuration somewhere. This laziness has now reared its ugly head and we're going to need to spring into action.
Until recently, the IP address 188.8.131.52 was not perceived as actively being 'in use' as there was no service associated to it, no website to pop up when dropped into a browser. It made its entrance in many labs, documentation, and even production configuration.
'Unfortunately' (for us lazy people), the IP has now been released to CloudFlare by APNIC (Regional Internet Registry, responsible for the Asia Pacific region out of five regions of global IP allocations), who until recently had the IP assigned to their own research group but were unable to process the immense amount of garbage traffic generated by people using this IP in production environments.
The good thing is CloudFlare's 'mission statement' for their newly started free DNS service, is that they will put privacy before everything else, so you can still use 184.108.40.206, but as a DNS server like the well-known Google public DNS (220.127.116.11, 18.104.22.168)
Another word of caution
In a related but unrelated infomercial: 22.214.171.124 to 126.96.36.199 are often used as DNS servers, but belong to Level-3 and are technically not open DNS. Although Level-3 allows non-customers to use their services, they could theoretically decide to discontinue or block outsiders at any time.
You'll still want to go ahead and review your configuration to make sure you're not accidentally sending out any (potentially sensitive) packets.
Having it assigned to a tunnel interface could cause routing issues when trying to reach the IP (and accidentally send DNS queries into a VPN tunnel)
Having the IP set in DNS sinkhole could cause malicious packets to be sent to the DNS service If the outbound connections are not being blocked by a security policy.
Best Practice will have you use one of the 3 unrouted IP subnets described in RFC1918 , better known as 'Private Address Space' and used in most business and home networks behind a NAT device:
If these subnets are all being used within your wide network, it might be difficult to find a suitable subnet that does not overlap or take up space and hinder future expansion. Another 3 subnets exist for documentation purposes as decribed in RFC5737 that your ISP should not route in case you accidentally send packets out to the internet:
Help spread the word and educate users and admins alike.