[dns-operations] [QUAR] Reducing AS112 traffic

Sidney Faber sfaber at cert.org
Mon Nov 12 23:06:16 UTC 2007


Yes, there's two very specific cases I have in mind from what I've seen
within the DITL AS112 pcaps.

First, there's the large corporate network where HQ has control of the
routing infrastructure, but not the DNS infrastructure.  HQ acts as an
ISP for its branch offices.  They can not configure empty zones to serve
(the most popular external DNS service is often 4.2.2.1,2).  They can
potentially stand up a site-local AS112 node, but it's not easy.  It is
easy for them to ACL addresses, they do it all the time to protect their
infrastructure.  Is it a legitimate alternative to recommend they ACL
the traffic?

Second, there's the wandering laptop.  Granted, not a big traffic
generator, perhaps not a big deal, but perhaps something we can deal
with.  The laptop's configured by policy to dynamically register its DNS
connection to prisoner.  Setting aside whether or not this is a concern,
is it legitimate to recommend that policy on managed networks should
always have the DHCP server do the registration, and turn registration
off by default for clients?

Thanks once again for your feedback, I appreciate the insights and help
clarifying what I'm trying to say (and whether it's reasonable!)

Doug Barton wrote:
> On Mon, 12 Nov 2007, Andrew Sullivan wrote:
> 
>> On Mon, Nov 12, 2007 at 03:17:17PM -0500, Sidney Faber wrote:
>>>
>>> It's resource-expensive to run a site-local AS112 system.  At a minimum,
>>
>> I think
>> http://tools.ietf.org/html/draft-ietf-dnsop-default-local-zones-02
>> doesn't say "run a local AS112" system.  It says "here are zones you
>> should serve, as empty zones."  At least, that's what I read there.
>> I'm known to be mistaken about these things sometimes, though.
> 
> Yes, that's what it says.
> 
> Sidney, I'm having trouble understanding your problem space here. Are
> you saying, "Given that I cannot control all resolving name servers on
> my network, and given that I therefore cannot enforce a policy of
> serving empty zones for RFC 1918-related zones, AS112-related zones,
> etc.; I must therefore create a solution that will somehow contain
> queries inside my network that otherwise would go out to the Internet?"
> 
> Doug
> 

-- 
Sid Faber, Member of the Technical Staff
CERT
Software Engineering Institute
Carnegie Mellon University
sfaber at cert.org



More information about the dns-operations mailing list