Re: large organization nameservers sending icmp packets to dns servers.

["Chris L. Morrow" <christopher.morrow () verizonbusiness com>]

On Tue, 7 Aug 2007, Donald Stahl wrote:

> > As for being "incredibly stupid", well, as I have said in private, calling a
> > bunch of people rude names without even asking them why they are doing what
> > you think is so stupid is .. uh .. probably not very bright. :)  Unless, of
> > course, you want everyone else passing judgement on how you run your network
> > without asking.
> Breaking the agreed upon rules of a protocol is stupid. Period.

actually people break rules all the time, they do it as part of a
risk/cost/reward balance. If they decide that blocking port X but not port
Y is 'ok' for them who are you to say beyond: "Wow, the blah blah RFC says
foo-bar, why would you do what you did?"

Some folks decide to block tcp/53 to their nameservers, some don't. it's
not stupid, it maybe unwise if they don't know what complications they are
setting themselves up for... Similarly answering a different A for each
client based on their location and your feelings about them could be
considered 'dangerous' or 'concerning' unless you understood what
complications that might induce.

> It has nothing to do with judging how one runs their network or any other
> such nonsense. The RFC's say TCP 53 is fine. If you don't want to follow

RFC's say many things, some might be unwise given your view of the world,
some may be peachy... It's all about what risk you are willing to take, or
that's what it seems like to me :)

-Chris