Re: large organization nameservers sending icmp packets to dns servers.

[Sean Donelan <sean () donelan com>]

On Mon, 6 Aug 2007, Drew Weaver wrote:
> Is it a fairly normal practice for large companies such as Yahoo! And 
> Mozilla to send icmp/ping packets to DNS servers? If so, why? And a 
> related question would be from a service provider standpoint is there 
> any reason to deny ICMP/PING packets to name servers within your 
> organization?

They use ICMP/Echo Request to calculate a rough surrogate latency estimate 
for potential users of that caching DNS server so they can return 
different DNS answers depending on your network topology.  Yes its an 
approximation, and can be wrong.  Some networks even re-route ICMP/Echo to 
a completely different box which just responsed to pings; so it may not
even go to the same place.  Given all those caveats, many times its still 
the best guess you can make.

ICMP/ECHO is a separate protocol which is easy to filter if you want to, 
without affecting "normal" TCP/UDP/etc packets. But then expect to get 
"worse" default DNS answers from those same sites attempting to optimize 
their DNS answers.

It would be cool if people ran NTP port 123 on their DNS servers, 
and then we could get extreme measurements.  But then I'm sure someone 
would point out 62 flaws with that.  In the end, its up to each 
network operator to make its own decision.  If your DNS servers aren't
being negatively impacted, and it helps your users get better answers,
you might keep it.  If the answers are reversed, you might drop them.

My IDS is badly tuned.... Well maybe there is a fix for that.