Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  3. Name servers with private IPs

Author: Government Digital Service

Last updated: 2025-06-26

Name servers with private IPs

The domain has a name server (NS) record pointing to an IP address in a private range, for example:

127.0.0.0/8

10.0.0.0/8

192.168.0.0/16

Why this is a problem

Private IPs won’t resolve outside of their internal network, making the domain unreachable from the internet.

Including private IP addresses in public DNS could expose internal network details and configurations, potentially leading to security vulnerabilities. 

Including private IP addresses in a public name server record breaks the Technical requirements for authoritative name servers published by the Internet Assigned Numbers Authority (IANA).

Pointing a DNS nameserver to a private IP address can cause resolution failures and render services unreachable when called from a device on the public internet. It may lead to denylisting, network misconfiguration, and broader accessibility issues.

How to check if the problem is still there

Use dig to look up the NS records. Then check the A records of those name servers to find the IP addresses.

Example

dig ns example.gov.uk +short

ns1.example.com
ns2.example.com

then

dig a ns1.example.com +short

192.168.0.1

In this case the problem is still there because 192.168.0.1 is in a private or prohibited network range according to the IANA list linked above.

The issue is resolved when there is no longer a name server with a private or prohibited IP in the NS records.

How to fix it

Remove the nameserver that resolves to a private IP from your nameserver records. If you need to route internal traffic use a separate internal zone and nameserver.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now