large organization nameservers sending icmp packets to dns servers.

Simon Waters simonw at
Mon Aug 6 16:00:24 UTC 2007

On Monday 06 August 2007 16:53, Drew Weaver wrote:
>         Is it a fairly normal practice for large companies such as Yahoo!
> And Mozilla to send icmp/ping packets to DNS servers? If so, why? 

Some of the DNS load balancing schemes do this, I assume to work out how far 
away your server is so they can give geographically relevant answers. If you 
are geographically close to your recursive name server, it might even work.

> And a 
> related question would be from a service provider standpoint is there any
> reason to deny ICMP/PING packets to name servers within your organization?

I tend to favour filtering some types of ICMP packets and not others, the 
packets required for ping hold little fear for me (and are kind of useful), 
but YMMV. 

My ICMP filtering experience is not DNS specific, you might be able to do 
better with DNS server specific rule, but that is too much like 
micromanagement for me, others may know a lot more on this.

More information about the NANOG mailing list