[dns-operations] Reducing AS112 traffic
Sidney Faber
sfaber at cert.org
Mon Nov 19 15:25:24 UTC 2007
(1) should have been:
Create in-addr.arpa zones for private address space as per
http://tools.ietf.org/html/draft-ietf-dnsop-default-local-zones-02
Sorry for the confusion.
I'm really interested in your response to Paul's comment, this was based
on
http://ietfreport.isoc.org/idref/draft-jabley-as112-being-attacked-help-help/,
para 7, and Joe's given an example of at least one unintended
consequence. Should this never be a recommendation?
Possible measures which might be taken to prevent these queries
include:
...
2. Block reverse DNS queries to the AS112 servers from leaving the
site using firewalls between the site and the Internet. Although
this might appear to be sensible, such a measure might have
unintended consequences: the inability to receive an answer to
reverse DNS queries might lead to long DNS lookup timeouts, for
example, which could cause applications to malfunction.
Paul Vixie wrote:
>> (3) Block traffic to 192.175.48.0/24, but only do this if you've
>> already done (1) or (2) and you're sure you won't impact operations.
>
> i don't think (3) is right. when we started AS112 we could have assigned
> these zones to servers in private address space, or to servernames like "."
> or addresses like 0.0.0.0 or 127.0.0.1. we chose a real netblock because
> we wanted this to be a real service. if an enclave can't do (1) or (2)
> then i think i'd prefer to be able to measure their traffic as part of
> this "whole internet" thing. also, a recommendation such as (3) creates a
> new kind of private address space, which really should be beyond our powers.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
--
Sid Faber, Member of the Technical Staff
CERT
Software Engineering Institute
Carnegie Mellon University
sfaber at cert.org
More information about the dns-operations
mailing list