[dns-operations] blocking recursers

JP Velders jpv at veldersjes.net
Sat Mar 25 21:57:29 UTC 2006

Date: Sat, 25 Mar 2006 14:45:26 -0700
From: Rodney Joffe <rjoffe at centergate.com>
Subject: Re: [dns-operations] blocking recursers

> [ ... ]
> What if not providing service to that small group meant that the 
> "larger" group i.e. the "rest of the world" had uninterrupted 
> service, and conversely if that small group did not have service 
> removed, the "rest of the world" continued to have intermittently 
> interrupted service with varying degrees of inconvenience (to 
> include catastrophic consequences)? Remember, we're talking about 
> your "Tier 2" here.

I get your point, and agree with it. However, I do think that making 
the decision for tier 1 or 2 should be made less "lightly" then for 
tier 3. With "less lightly" I mean that apart from nullrouting, 
ACL'ing, or whatever, you need to be sure to avoid to end up with 
some of the mess we have with the bogon issues when new blocks are 
assigned by IANA to RIR's and then taken into production.

> [ ... ]
> > Mainly because of all the fragmentation of those "we're doing this 
> > for the greater good"-clubs in the SMTP world, and everybody just 
> > doing sweeps on netblocks, well, it's chaos at best. Doing it for 
> > IP's contacting you would make me feel a bit easier. ;)

> Would you define this as "IP's (sic) contacting you" or as "IP's 
> contacting you with malicious traffic, whether innocently or not"?

Any IP contacting my nameservers so to speak. But to make it practical 
you'd probably want to limit yourself to only suspect ones (by 
whatever -very local!- criterium that entails). But doing it with 
every query you get would be a definite no-no (imagine a bunch of 
resolvers doing that over and over again... ;D)...

Kind regards,
JP Velders

More information about the dns-operations mailing list