Security risk with using internal IP on public DNS

There is another risk using private / LAN IP addresses for public DNS records.

Suppose you have a laptop user in your LAN, who uses web.company.com (which resolves for example to 192.168.178.10).

If this user connects his laptop to another network (wifi!), and tries to use web.company.com, it will resolve to 192.168.178.1 using the public DNS entry. It may be possible that the IP address 192.168.178.10 corresponds to a machine on this foreign network. The laptop will then send information to this machine, which may even include plain text credentials, cookies or other data.

It may even be possible to setup a sort of honeypot using some detailed knowledge of the LAN.

Including private IPs in public DNS entries is not ideal because it provides a would be attacker with:

• An indication of what your internal subnets are;
• Actual IP addresses for specific internal resource(s).

Neither are likely to result in a direct compromise, but can assist with an attack or can facilitate onward compromise.

Generally speaking leaking information about your internal network and resources hosted on it should be avoided.

From your question it seems the internal resources are only intended for VPN users so it might be more appropriate to have an internal DNS which VPN users can access this avoids any issues with including 'sensitive' information in public DNS records.