I have not seen that pointing a public DNS to an RFC1918 address would be illegal or against rules, I agree it may 'feel' weird. What is for sure is that clients on the public internet will not be able to reach your services if DNS points to unroutable IP space, so in that perspective it's not something very widespread. As well you may consider that you are publicly publishing information about your internal IP addressing; but the same would apply for external IP addresses and if someone connects to your guest network they would see the IP addresses as well.
And the alternative would be that you put your ClearPass server on a public IP address, but block traffic to it from outside in your firewall. I don't really see a difference from pointing to unroutable IP.
The only thing that I have seen over the past years is that some firewalls (mostly consumer/home/SMB) block DNS responses with RFC1918 addresses, but that is because in small environments it may not be common to resolve private IP across a firewall.
You may ask the Consulting Engineer for a reference that this is illegal, and base your decision on that.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Dec 06, 2022 02:42 PM
From: Daniel wolf
Subject: Guest Wireless DNS Server
Hi,
@Herman Robers may I ask you something about a point in your answer?
I´m also dealing with an FQDN which is resolved from a public DNS-Server to a private RFC1918 IP-Address... but a Consulting Engineer told me that it`s illigal and not a typical configuration/solution certainly not in a "productive" Guest Wireless enviroment!
I don´t want to get in any trouble so should I consider to change that concept?
Original Message:
Sent: Oct 19, 2020 04:52 AM
From: Herman Robers
Subject: Guest Wireless DNS Server
That is correct, you can not have private IP space as IP in a public certificate. It should be possible for public IPs if these are owned by you, it may not be possible if the IP is owned by the ISP. It's highly uncommon to have IP addresses in a certificate, and also not needed.
With a certificate that has a public host-name as SAN, I have for example cppm.nl.arubalab.com as a public certificate, you can still point to a private IP address, even in public DNS. If you look up cppm.nl.arubalab.com now, you will see that the IP resolves to 192.168.32.16, which is a perfectly valid situation as the certificate is validated during issuing typically against a DNS record or domain owner mail address, and you control the DNS records. Just make sure that you have a CA that can issue certificates with a different validation than connecting to the IP address as that is unreachable for the CA.
When published like this in your external DNS, then you can even use a public DNS service from your provider or the well known other like 1.1.1.1, 4.4.4.4, 8.8.8.8, 9.9.9.9 or others all the time.
Some people think that you cannot have certificates pointing to private IP spaces, which is a misconception when using a valid public domain name and DNS. You just cannot have them point to a non-public domain name.