[dns-operations] Reducing AS112 traffic

[Peter Koch]

On Mon, Nov 19, 2007 at 10:25:24AM -0500, Sidney Faber wrote:

> http://ietfreport.isoc.org/idref/draft-jabley-as112-being-attacked-help-help/,

btw, this is now a DNSOP draft and the latest version is -01
<http://tools.ietf.org/html/draft-ietf-dnsop-as112-under-attack-help-help-01>

> para 7, and Joe's given an example of at least one unintended
> consequence.  Should this never be a recommendation?
> 
>    Possible measures which might be taken to prevent these queries
>    include:
>    ...
>    2.  Block reverse DNS queries to the AS112 servers from leaving the
>        site using firewalls between the site and the Internet.  Although
>        this might appear to be sensible, such a measure might have
>        unintended consequences: the inability to receive an answer to
>        reverse DNS queries might lead to long DNS lookup timeouts, for
>        example, which could cause applications to malfunction.

This recommendation is aimed at people who either regard the DNS responses
as "attacks" or see their IDS or firewall confused, so these filters
are suggested to prevent the responses having side effects, not to avoid
"leakage".

I also doubt blocking traffic to 192.175.48.0/24 is the right way because
it doesn't really close information leaks.  You'll see that DNS search paths
also lead to disclosure of internal information as will traffic to root
name servers (for non-FQDN names) or any other auth servers.
If any of these leaks are critical, that site needs to tightly control
_any_ outbound DNS query/update traffic, not only the fraction destined
towards AS112.  AS112 isn't evil, and I'm a bit concerned that a CERT
recommendation to block traffic to AS112 would have undesired connotaions.

-Peter