Hello all!
Customer’s internal domain ends is customer.net. We know that’s a public domain (.net), but it predates us, and we don’t think that migrating to customer.local or something like that is viable in the given time.
We are deploying NPA and, so far so good. The issue is that their domain exists on the internet, and is not owned by the customer themselves. So, if a client resides outside of the premises, they can resolve internal names to a public IP address. And since that domain seems to have some sort of catch-all resolution, everything gets resolved.
The security concerns are obvious: the owner of the public domain can learn all of their internal services hostnames and then deploy phishing sites, etc.
We already have blocked that IP address, but we are trying to block DNS resolution all together. Although blocking other domains works, this one doesn’t, because it is defined in many private apps.
What can we do to sucessfully block these requests?
Thanks.
