[dns-operations] Does this make sense?

John Kristoff jtk at ultradns.net
Mon Oct 22 22:23:03 UTC 2007


On Sat, 20 Oct 2007 12:02:31 -0700
Michael Sinatra <michael at rancid.berkeley.edu> wrote:

> Does anyone see any other gotchas, or is this just a stupid idea?

It sounds reasonable to me also if not a bit complex.

Keep in mind that even if you were able to prohibit "external"
addresses from resolving those PTR queries on your instances and
any other admin-run caching servers, there may be cases where hosts
in your network may be resolving those names inappropriately.
For some definition of inappropriate (research, recon mapping or
simply misconfiguration). For example, any proxied DNS access to
your internal DNS servers via Tor, planet-lab, scriptroute boxes,
etc. may be get those internal-only answers.  Mostly harmless maybe,
but something to be aware of I think.

John



More information about the dns-operations mailing list