[dns-operations] [QUAR] Reducing AS112 traffic

Sidney Faber sfaber at cert.org
Mon Nov 12 20:17:17 UTC 2007

Good points, all, but let me step back for a second here.  What I'm
trying to do is leverage the cost/benefit ratio.  If I can reduce
implementation cost (effort) and show increased benefit, maybe I can
convince the average shop to contain their AS112 traffic.  Right now I'm
looking at costs.

It's resource-expensive to run a site-local AS112 system.  At a minimum,
it takes coordinated network & server operations, change control, test &
backout plans, etc.  Let's take that solution off the table for a minute
and see if we can come up with something simpler.

It seems *much* more cost effective (simple) to firewall or ACL (everyone already blocks RFC1918, why not this too?).
I'm seeking your advice on whether or not this is a good alternative.

It's also *much* more cost effective to make internal DNS changes for
prisoner, blackhole-1 and blackhole-2.iana.org.  But that assumes I've
already updated for 10.in-addr.arpa, etc., so I'm seeking your advice on
whether this provides any additional benefit.

Some shops may have room on an existing DNS server but not be willing to
participate in AS112 anycasting (no reason other than that it's new &
different).  So I'm seeking your advice on whether it makes sense for
them to just insert a static internal route for AS112 to redirect the

Andrew Sullivan wrote:
> On Mon, Nov 12, 2007 at 12:02:23PM -0500, Sidney Faber wrote:
>> No doubt, making the DNS server authoritative for private zones is the
>> best, first case, and if everyone did it, there wouldn't be any AS112
>> traffic.  Unfortunately, not everyone can, so is there some additional
>> advice we can give them?  What can I tell the multinational corporation
>> that has a manageable set of network choke points, but very little
>> control over how protocols are used within individual enclaves?  Or the
>> super-paranoid  small enterprise that wants multiple layers to make sure
>> no internal addressing info leaked out at all?
> I don't understand.  If they are using DNS, then there are a few
> possibilities:
> 1.      They're running some servers that do recursion.  Then they can
>         (basically) run their own AS112 system, and everything will
>         work fine.
> 2.      They're _not_ running servers to do their recursion.  In that
>         case, they presumably have some kind of relationship with some
>         vendor that is running their DNS, so they can have that vendor
>         do (1) for them.
> 3.      They're "super paranoid", but their employees do whatever they
>         want on the network.  In this case, it seems, they need to add
>         some more competent IT staff to do (1) or (2), so that the
>         employees don't have to work around a broken network.  Nobody
>         would choose to do the extra work of running their own
>         recursing resolver if a solid, good, and reliable facility was
>         provided.  And if they really wanted to stop the traffic at
>         that point, outbound traffic on port 53 could be disallowed,
>         for the obvious reason.
> A

Sid Faber, Member of the Technical Staff
Software Engineering Institute
Carnegie Mellon University
sfaber at cert.org

More information about the dns-operations mailing list