Re: large organization nameservers sending icmp packets to dns servers.

[Owen DeLong <owen () delong com>]

On Aug 6, 2007, at 9:13 AM, Leigh Porter wrote:

> But why would they care where the nameserver is? Point 2 would seem to
> be a little stupid a thing to assume. Also, what happens if, at that
> moment, the ICMP packet is stuck in a queue for a few ms making the
> shortest route longer.
While point 2 is a bad assertion if you depend completely upon it, it's
not necessarily a bad starting point if you have no other data to go on.

1.      90+% of resolvers are topologically proximate to either the
        requestor, or, the requestors NAT box that you will have to
        talk to anyway.

2.      At the GLB level, you really don't have any data other than the
        IP address of the resolver upon which to base your GLB decision.
        Since you'll be right 90+% of the time, and, only sub-optimal,
        not broken the other <10% of the time, it generally works OK.

3.      When I worked for Netli, before they were acquired in what I would
        call a much less than ethical transaction, we maintained an
        exception table for cases where we learned that the DNS
        resolver was not topologically proximate to the requestors
        that flowed through it.  We also spent a fair amount of time
        explaining the benefits of having the resolver be topologically
        proximate to our customers and their customers.

The Netli system was designed to be quite gentle in the amount of
probing it did, but, we did occasionally get messages from people
with paranoid IDS boxes.  Usually, once we explained that our
efforts were directed at improving the quality of service to their
users, and how the system worked and how little traffic we sent
their way to accomplish this, they were happy to reconfigure their
alarm preferences.

I don't have first hand knowledge of anyone elses use of these
kinds of ICMP probes, but, I would say that generally, they are
somewhat useful and mostly harmless.

Owen