large organization nameservers sending icmp packets to dns servers.

Steven M. Bellovin smb at
Mon Aug 6 16:13:03 UTC 2007

On Mon, 06 Aug 2007 11:57:08 -0400
Valdis.Kletnieks at wrote:

> On Mon, 06 Aug 2007 11:53:15 EDT, Drew Weaver said:
> > Is it a fairly normal practice for large companies such as Yahoo!
> > And Mozilla to send icmp/ping packets to DNS servers? If so, why?
> Sounds like one of the global-scale load balancers - when you do a
> (presumably) recursive DNS lookup of one of their hosts, they'll ping
> the nameserver from several locations and see which one gets an
> answer the fastest.
> Yes, it's a semi-borkken strategy, because it assumes that:
> 1) ICMP is handled at the same rate as TCP/UDP packets in all the
> routers involved (so there's no danger of declaring a path "slow"
> when it really isn't, just becase a router slow-pathed ICMP).

This is aimed at hosts, not routers, right?  As far as I know, routers
don't slow-path forwarded ICMP.  Hosts will probably reply to ICMP from
their kernel, so it's a faster response than a user-level DNS reply.
> 2) That the actual requester of service is reasonably near net-wise
> to the server handling the end-user's recursive DNS lookup.

Right.  But there's no particular reason to block it, unless the rate
is high enough that it's causing you CPU or network load problems.  (If
it's your IDS that's getting overloaded, perhaps tell it not to worry
unless you see other load issues...)

		--Steve Bellovin,

More information about the NANOG mailing list