[dns-operations] [QUAR] Reducing AS112 traffic
Andrew Sullivan
andrew at ca.afilias.info
Mon Nov 12 17:15:10 UTC 2007
On Mon, Nov 12, 2007 at 12:02:23PM -0500, Sidney Faber wrote:
> No doubt, making the DNS server authoritative for private zones is the
> best, first case, and if everyone did it, there wouldn't be any AS112
> traffic. Unfortunately, not everyone can, so is there some additional
> advice we can give them? What can I tell the multinational corporation
> that has a manageable set of network choke points, but very little
> control over how protocols are used within individual enclaves? Or the
> super-paranoid small enterprise that wants multiple layers to make sure
> no internal addressing info leaked out at all?
I don't understand. If they are using DNS, then there are a few
possibilities:
1. They're running some servers that do recursion. Then they can
(basically) run their own AS112 system, and everything will
work fine.
2. They're _not_ running servers to do their recursion. In that
case, they presumably have some kind of relationship with some
vendor that is running their DNS, so they can have that vendor
do (1) for them.
3. They're "super paranoid", but their employees do whatever they
want on the network. In this case, it seems, they need to add
some more competent IT staff to do (1) or (2), so that the
employees don't have to work around a broken network. Nobody
would choose to do the extra work of running their own
recursing resolver if a solid, good, and reliable facility was
provided. And if they really wanted to stop the traffic at
that point, outbound traffic on port 53 could be disallowed,
for the obvious reason.
A
--
Andrew Sullivan 204-4141 Yonge Street
Afilias Canada Toronto, Ontario Canada
<andrew at ca.afilias.info> M2P 2A8
jabber: ajsaf at jabber.org +1 416 646 3304 x4110
More information about the dns-operations
mailing list