[dns-operations] Reducing AS112 traffic
Mark Andrews
Mark_Andrews at isc.org
Mon Nov 19 21:07:58 UTC 2007
> In an effort to bring this thread to a graceful close, I'd like to
> summarize:
>
> For an enclave to reduce AS112 traffic, the should:
> (1) Create in-addr.arpa zones for private address space as per
> mamakos at cert.org
> (2) Configure a local [private] AS112 node as discussed
> http://www.chagreslabs.net/jmbrown/research/as112/
> (3) Block traffic to 192.175.48.0/24, but only do this if you've
> already done (1) or (2) and you're sure you won't impact operations.
No. You should only block traffic to 192.175.48.0/24 as a
side effect of blocking *all* outbound DNS traffic from
non-authorised sources.
> I know there's nothing new here, and it's exactly what was out there
> before I started asking the questions. But I've seen a few additional
> recommendations in various places, and I've also tried to anticipate
> things sysadmins might think up on their own as possible remedies. Now
> I have rebuttals for them.
>
> Thanks for letting me challenge you with some off-the-wall ideas, and
> for providing observations both on and off the list.
>
> sid
>
>
>
> --
> Sid Faber, Member of the Technical Staff
> CERT
> Software Engineering Institute
> Carnegie Mellon University
> sfaber at cert.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list