[dns-operations] blocking recursers
jpv at veldersjes.net
Sat Mar 25 21:57:29 UTC 2006
Date: Sat, 25 Mar 2006 14:45:26 -0700
From: Rodney Joffe <rjoffe at centergate.com>
Subject: Re: [dns-operations] blocking recursers
> [ ... ]
> What if not providing service to that small group meant that the
> "larger" group i.e. the "rest of the world" had uninterrupted
> service, and conversely if that small group did not have service
> removed, the "rest of the world" continued to have intermittently
> interrupted service with varying degrees of inconvenience (to
> include catastrophic consequences)? Remember, we're talking about
> your "Tier 2" here.
I get your point, and agree with it. However, I do think that making
the decision for tier 1 or 2 should be made less "lightly" then for
tier 3. With "less lightly" I mean that apart from nullrouting,
ACL'ing, or whatever, you need to be sure to avoid to end up with
some of the mess we have with the bogon issues when new blocks are
assigned by IANA to RIR's and then taken into production.
> [ ... ]
> > Mainly because of all the fragmentation of those "we're doing this
> > for the greater good"-clubs in the SMTP world, and everybody just
> > doing sweeps on netblocks, well, it's chaos at best. Doing it for
> > IP's contacting you would make me feel a bit easier. ;)
> Would you define this as "IP's (sic) contacting you" or as "IP's
> contacting you with malicious traffic, whether innocently or not"?
Any IP contacting my nameservers so to speak. But to make it practical
you'd probably want to limit yourself to only suspect ones (by
whatever -very local!- criterium that entails). But doing it with
every query you get would be a definite no-no (imagine a bunch of
resolvers doing that over and over again... ;D)...
More information about the dns-operations