[dns-operations] [QUAR] Reducing AS112 traffic

Andrew Sullivan andrew at ca.afilias.info
Mon Nov 12 17:15:10 UTC 2007


On Mon, Nov 12, 2007 at 12:02:23PM -0500, Sidney Faber wrote:
> No doubt, making the DNS server authoritative for private zones is the
> best, first case, and if everyone did it, there wouldn't be any AS112
> traffic.  Unfortunately, not everyone can, so is there some additional
> advice we can give them?  What can I tell the multinational corporation
> that has a manageable set of network choke points, but very little
> control over how protocols are used within individual enclaves?  Or the
> super-paranoid  small enterprise that wants multiple layers to make sure
> no internal addressing info leaked out at all?

I don't understand.  If they are using DNS, then there are a few
possibilities:

1.      They're running some servers that do recursion.  Then they can
        (basically) run their own AS112 system, and everything will
        work fine.

2.      They're _not_ running servers to do their recursion.  In that
        case, they presumably have some kind of relationship with some
        vendor that is running their DNS, so they can have that vendor
        do (1) for them.

3.      They're "super paranoid", but their employees do whatever they
        want on the network.  In this case, it seems, they need to add
        some more competent IT staff to do (1) or (2), so that the
        employees don't have to work around a broken network.  Nobody
        would choose to do the extra work of running their own
        recursing resolver if a solid, good, and reliable facility was
        provided.  And if they really wanted to stop the traffic at
        that point, outbound traffic on port 53 could be disallowed,
        for the obvious reason.

A


-- 
Andrew Sullivan                         204-4141 Yonge Street
Afilias Canada                        Toronto, Ontario Canada
<andrew at ca.afilias.info>                              M2P 2A8
jabber: ajsaf at jabber.org                 +1 416 646 3304 x4110



More information about the dns-operations mailing list