large organization nameservers sending icmp packets to dns servers.
Simon Waters
simonw at zynet.net
Mon Aug 6 16:00:24 UTC 2007
On Monday 06 August 2007 16:53, Drew Weaver wrote:
> Is it a fairly normal practice for large companies such as Yahoo!
> And Mozilla to send icmp/ping packets to DNS servers? If so, why?
Some of the DNS load balancing schemes do this, I assume to work out how far
away your server is so they can give geographically relevant answers. If you
are geographically close to your recursive name server, it might even work.
> And a
> related question would be from a service provider standpoint is there any
> reason to deny ICMP/PING packets to name servers within your organization?
I tend to favour filtering some types of ICMP packets and not others, the
packets required for ping hold little fear for me (and are kind of useful),
but YMMV.
My ICMP filtering experience is not DNS specific, you might be able to do
better with DNS server specific rule, but that is too much like
micromanagement for me, others may know a lot more on this.
More information about the NANOG
mailing list