[dns-operations] Reducing AS112 traffic

Matt Pounsett matt.pounsett at cira.ca
Mon Nov 19 16:57:03 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 2007-Nov-19, at 10:25, Sidney Faber wrote:

> I'm really interested in your response to Paul's comment, this was  
> based
> on
> http://ietfreport.isoc.org/idref/draft-jabley-as112-being-attacked- 
> help-help/,
> para 7, and Joe's given an example of at least one unintended
> consequence.  Should this never be a recommendation?

I'm not sure I'd go so far as to say it should never be done, but  
anyone considering it needs to be very clear on the fact that there  
may be unintended consequences, and that they should only proceed if  
they're absolutely sure they've got everything covered (and if  
they're prepared for some things to break anyway).

I don't think one should ever say "don't ever do this," and it should  
definitely never be recommended as an easy fix to leaking DNS  
queries.  But, those are two extremes.  I think Joe's draft takes the  
correct middle ground in saying that this is something that can be  
done, while recommending caution against doing it lightly.

>    Possible measures which might be taken to prevent these queries
>    include:
>    ...
>    2.  Block reverse DNS queries to the AS112 servers from leaving the
>        site using firewalls between the site and the Internet.   
> Although
>        this might appear to be sensible, such a measure might have
>        unintended consequences: the inability to receive an answer to
>        reverse DNS queries might lead to long DNS lookup timeouts, for
>        example, which could cause applications to malfunction.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iD8DBQFHQcBimFeRJ0tjIxERAqPOAJ4nQ4b7jn3S+T12DcXoeoC4eFug2QCeJxn2
X7nT43P3OoIyB0vZfKVU6sA=
=m75Y
-----END PGP SIGNATURE-----



More information about the dns-operations mailing list