Preventing internal DNS request leakage

Internal domain lookups, including reverse DNS (PTR) queries often leak out to the public Internet on default gateway configurations. Not only is this unnecessary, it reveals operational details of internal networking infrastructure that is best kept private.

Many gateways and most endpoints will take the DNS suffix of a host and append it to DNS query FQDNs. For example, if your DNS suffix is, as is often the default, an endpoint requesting a domain lookup to visit Google, will submit two queries:

Only the first query should go out to any upstream resolver.

PTR (Reverse DNS) records also are commonly found leaking. A typical internal host will ask for a PTR record for its gateways, e.g. which looks like this:

PTR record for

It is unnecessary to reveal this to the public internet because it cannot answer PTR records for rfc1918 private IP addresses. Furthermore, leaking this information is bad operational security.

To prevent such DNS leakage, create and enable a forwarding rule (to such as this:

You will want to use your internal domain instead of

The full list of domains in that rule include all rfc1918 reverse DNS network domain names:

For the above rule to function properly, a localhost binding will need to be provisioned. This is part of our recommended configuration.

This rule and integrated configuration is included on all MSS+ sites.