nanog mailing list archives
Re: large organization nameservers sending icmp packets to dns servers.
From: Owen DeLong <owen () delong com>
Date: Mon, 6 Aug 2007 09:46:25 -0700
On Aug 6, 2007, at 9:13 AM, Leigh Porter wrote:
But why would they care where the nameserver is? Point 2 would seem to be a little stupid a thing to assume. Also, what happens if, at that moment, the ICMP packet is stuck in a queue for a few ms making the shortest route longer.
While point 2 is a bad assertion if you depend completely upon it, it's not necessarily a bad starting point if you have no other data to go on. 1. 90+% of resolvers are topologically proximate to either the requestor, or, the requestors NAT box that you will have to talk to anyway. 2. At the GLB level, you really don't have any data other than the IP address of the resolver upon which to base your GLB decision. Since you'll be right 90+% of the time, and, only sub-optimal, not broken the other <10% of the time, it generally works OK. 3. When I worked for Netli, before they were acquired in what I would call a much less than ethical transaction, we maintained an exception table for cases where we learned that the DNS resolver was not topologically proximate to the requestors that flowed through it. We also spent a fair amount of time explaining the benefits of having the resolver be topologically proximate to our customers and their customers. The Netli system was designed to be quite gentle in the amount of probing it did, but, we did occasionally get messages from people with paranoid IDS boxes. Usually, once we explained that our efforts were directed at improving the quality of service to their users, and how the system worked and how little traffic we sent their way to accomplish this, they were happy to reconfigure their alarm preferences. I don't have first hand knowledge of anyone elses use of these kinds of ICMP probes, but, I would say that generally, they are somewhat useful and mostly harmless. Owen
Current thread:
- Re: large organization nameservers sending icmp packets to dns servers., (continued)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Tony Finch (Aug 08)
- RE: large organization nameservers sending icmp packets to dns servers. william(at)elan.net (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Stephane Bortzmeyer (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Chris L. Morrow (Aug 10)
- Re: large organization nameservers sending icmp packets to dns servers. Duane Wessels (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Steve Atkins (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Leigh Porter (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Owen DeLong (Aug 06)
- Message not available
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 06)
- Re: large organization nameservers sending icmp packets to dns servers. Mark Andrews (Aug 09)
- Re: large organization nameservers sending icmp packets to dns servers. Crist Clark (Aug 10)