[dns-operations] [QUAR] Reducing AS112 traffic

Simon Waters simonw at zynet.net
Mon Nov 12 17:24:23 UTC 2007


On Monday 12 November 2007 17:02, Sidney Faber wrote:
>
> No doubt, making the DNS server authoritative for private zones is the
> best, first case, and if everyone did it, there wouldn't be any AS112
> traffic.  Unfortunately, not everyone can, so is there some additional
> advice we can give them?  What can I tell the multinational corporation
> that has a manageable set of network choke points, but very little
> control over how protocols are used within individual enclaves? 

Block port 53 except for servers configured to the BCP? That'll usually get 
folks using the corporate DNS servers, they might want to monitor it a bit 
first.

> Or the 
> super-paranoid  small enterprise that wants multiple layers to make sure
> no internal addressing info leaked out at all?

Run their own root server, and access the web via systems (not merely HTTP 
proxies) in the DMZ only. Or didn't you mean "THAT" paranoid?

 Simon



More information about the dns-operations mailing list