[dns-operations] Reducing AS112 traffic
matt.pounsett at cira.ca
Mon Nov 19 16:57:03 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
On 2007-Nov-19, at 10:25, Sidney Faber wrote:
> I'm really interested in your response to Paul's comment, this was
> para 7, and Joe's given an example of at least one unintended
> consequence. Should this never be a recommendation?
I'm not sure I'd go so far as to say it should never be done, but
anyone considering it needs to be very clear on the fact that there
may be unintended consequences, and that they should only proceed if
they're absolutely sure they've got everything covered (and if
they're prepared for some things to break anyway).
I don't think one should ever say "don't ever do this," and it should
definitely never be recommended as an easy fix to leaking DNS
queries. But, those are two extremes. I think Joe's draft takes the
correct middle ground in saying that this is something that can be
done, while recommending caution against doing it lightly.
> Possible measures which might be taken to prevent these queries
> 2. Block reverse DNS queries to the AS112 servers from leaving the
> site using firewalls between the site and the Internet.
> this might appear to be sensible, such a measure might have
> unintended consequences: the inability to receive an answer to
> reverse DNS queries might lead to long DNS lookup timeouts, for
> example, which could cause applications to malfunction.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
-----END PGP SIGNATURE-----
More information about the dns-operations