[dns-operations] Link-local IP addresses for a resolver?

Mark Andrews marka at isc.org
Wed Sep 25 00:47:47 UTC 2019

> On 25 Sep 2019, at 10:03 am, Paul Ebersman <list-dns-operations at dragon.net> wrote:
> marka> DNS servers that are expected to be reached across sites need to
> marka> be globally unique addresses which ULA and LL are not.
> The IP address clients use to reach the resolver doesn't have to be the
> same one that the resolver uses as source address when it queries. And
> it's not uncommon to have an externally exposed recursive resolver on
> the public side of a corporate firewall with queries from an internal
> resolver being forwarded.

Paul, you are missing the point.

When a *ISP* advertises a DNS server to its *customers* IT SHOULD WORK FOR
server (this is the only way LL addresses work and one of the ways to make
ULA work).  It shouldn’t REQUIRE that CPE’s NOT FILTER ULA sourced packets,
nor should it REQUIRE that there be a route for the ISP’s ULA prefix (this
the other way ULA addresses work).

	         ISP SITE <-> CPE <-> CUSTOMER SITE

The CPE is a SITE boundary.  It is also a Link-Local Boundary. ULA source
packets DO NOT cross the CPE by default it the CPE is properly configured.
Link-Local packets should NEVER cross the CPE as it is NOT A BRIDGE/SWITCH
but is a router.

It’s nothing to do with the addresses the recursive server uses to talk to the
rest of the world.

> Using ULA/LL for the clients doesn't mean it can't be a used as a
> functional resolver via said forwarding/alternate address.
> Not saying I think using LL/ULA is a more secure architecture but it can
> be functional and should work on the local broadcast domain/LAN.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list