[122590] in North American Network Operators' Group
Re: History of 4.2.2.2. What's the story?
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Wed Feb 17 15:04:46 2010
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAACUqDU5a27QSbUT84s99ecOAQAAAAA=@iname.com>
Date: Wed, 17 Feb 2010 15:01:12 -0500
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 16, 2010, at 11:35 PM, Frank Bulk wrote:
> Our nameservers handle both the authoritative and recursive traffic, =
but we
> use ACLs to restrict recursive queries to just our users.
Speaking strictly about the recursive servers (others have covered the =
auth + recusive on one box thing), thank you for the ACLs. Open RNSes =
are difficult to secure against being used as an amplification attack =
vector.
> If I understand your second sentence correctly, then yes, our DHCP =
server
> hands out the DNS servers, of which one of the three is outside our =
own
> network.
While I am all for redundancy, and believe having authorities off-net is =
useful and good, I am not sure the same holds for RNSes.
I like putting authoritative servers on multiple ASes because if my =
AS[*] dies, I may have good reason to want the hostnames to still =
resolve. The could very well have significance even when the AS is down =
(e.g. A records pointing to addresses outside my AS, backup MX records, =
etc.). But if my AS is down, my users cannot get to anything so what =
use is having a server happily working where they cannot reach it? =
Especially one firewalled so only they can use it?
I cannot come up with a realistic failure mode where the user has good =
connectivity to the "outside world", but multiple, geographically & =
topologically disparate servers inside the AS are all unreachable. On =
the other hand, I can easily come up with several failure modes where =
the external RNSes are b0rk'ed, causing either your users or the rest of =
the Internet harm.
In summary, could someone educate me on the benefits of having RNSes =
outside your network?
--=20
TTFN,
patrick
[*] Since I Am Not An ISP, this is the hypothetical or general "my AS", =
not my actual AS.
> -----Original Message-----
> From: Patrick W. Gilmore [mailto:patrick@ianai.net]=20
> Sent: Tuesday, February 16, 2010 9:33 PM
> To: NANOG list
> Subject: Re: History of 4.2.2.2. What's the story?=20
>=20
> On Feb 16, 2010, at 10:24 PM, Frank Bulk wrote:
>=20
>> We do. It's at our upstream provider, just in case we had an =
upstream
>> connectivity issue or some internal meltdown that prevented those in =
the
>> outside world to hit our (authoritative) DNS servers. Of course, =
that's
>> most helpful for DNS records that resolve to IPs *outside* our =
network.=20
>=20
> What you describe - authorities used by people off your network to =
resolve A
> records with IP addresses outside your network - is not what Joe was
> describing. What the recursive name server your end users queried to
> resolve names, the IP address in their desktop's control panel, =
outside your
> network?
>=20
> I can see a small ISP using its upstream's recursive name server. But =
to
> the rest of the world, most small ISPs look like a part of their =
upstream's
> network.
>=20
> --=20
> TTFN,
> patrick
>=20
>=20
>> =3D=3D=3D
>> <snip>
>>=20
>> For what it's worth, I have never heard of an ISP, big or small, =20
>> deciding to place resolvers used by their customers in someone else's =
=20
>> network. Perhaps I just need to get out more.
>>=20
>> Joe
>>=20
>>=20
>>=20
>=20
>=20
