[dns-operations] ULA or Link-local IP addresses for a resolver?
John Levine
johnl at taugh.com
Wed Sep 25 00:47:37 UTC 2019
In article <20190925000333.ADE8717B03EF at fafnir.remote.dragon.net> you write:
>marka> DNS servers that are expected to be reached across sites need to
>marka> be globally unique addresses which ULA and LL are not.
>
>The IP address clients use to reach the resolver doesn't have to be the
>same one that the resolver uses as source address when it queries. And
>it's not uncommon to have an externally exposed recursive resolver on
>the public side of a corporate firewall with queries from an internal
>resolver being forwarded.
Right. My resolver has a public v6 address, a LL, and a ULA. It
sends outgoing queries on the public address but only responds to
queries on the LL and ULA. The ULA works great, makes it harder for
random outsiders to try to abuse it even if the ULA leaks outside my
network. The LL sort of works, in clients with resolvers that
understand link scoping, and not at all on hosts on my other network
segment.
More information about the dns-operations
mailing list