[dns-operations] [QUAR] Reducing AS112 traffic
Simon Waters
simonw at zynet.net
Mon Nov 12 17:24:23 UTC 2007
On Monday 12 November 2007 17:02, Sidney Faber wrote:
>
> No doubt, making the DNS server authoritative for private zones is the
> best, first case, and if everyone did it, there wouldn't be any AS112
> traffic. Unfortunately, not everyone can, so is there some additional
> advice we can give them? What can I tell the multinational corporation
> that has a manageable set of network choke points, but very little
> control over how protocols are used within individual enclaves?
Block port 53 except for servers configured to the BCP? That'll usually get
folks using the corporate DNS servers, they might want to monitor it a bit
first.
> Or the
> super-paranoid small enterprise that wants multiple layers to make sure
> no internal addressing info leaked out at all?
Run their own root server, and access the web via systems (not merely HTTP
proxies) in the DMZ only. Or didn't you mean "THAT" paranoid?
Simon
More information about the dns-operations
mailing list