[dns-operations] Reducing AS112 traffic

Mark Andrews Mark_Andrews at isc.org
Mon Nov 19 21:07:58 UTC 2007


> In an effort to bring this thread to a graceful close, I'd like to
> summarize:
> 
> For an enclave to reduce AS112 traffic, the should:
> (1)  Create in-addr.arpa zones for private address space as per
> mamakos at cert.org
> (2)  Configure a local [private] AS112 node as discussed
> http://www.chagreslabs.net/jmbrown/research/as112/
> (3)  Block traffic to 192.175.48.0/24, but only do this if you've
> already done (1) or (2) and you're sure you won't impact operations.

	No.  You should only block traffic to 192.175.48.0/24 as a
	side effect of blocking *all* outbound DNS traffic from
	non-authorised sources.
 
> I know there's nothing new here, and it's exactly what was out there
> before I started asking the questions.  But I've seen a few additional
> recommendations in various places, and I've also tried to anticipate
> things sysadmins might think up on their own as possible remedies.  Now
> I have rebuttals for them.
> 
> Thanks for letting me challenge you with some off-the-wall ideas, and
> for providing observations both on and off the list.
> 
> sid
> 
> 
> 
> -- 
> Sid Faber, Member of the Technical Staff
> CERT
> Software Engineering Institute
> Carnegie Mellon University
> sfaber at cert.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list