large organization nameservers sending icmp packets to dns servers.
Owen DeLong
owen at delong.com
Mon Aug 6 16:46:25 UTC 2007
On Aug 6, 2007, at 9:13 AM, Leigh Porter wrote:
>
>
> But why would they care where the nameserver is? Point 2 would seem to
> be a little stupid a thing to assume. Also, what happens if, at that
> moment, the ICMP packet is stuck in a queue for a few ms making the
> shortest route longer.
>
While point 2 is a bad assertion if you depend completely upon it, it's
not necessarily a bad starting point if you have no other data to go on.
1. 90+% of resolvers are topologically proximate to either the
requestor, or, the requestors NAT box that you will have to
talk to anyway.
2. At the GLB level, you really don't have any data other than the
IP address of the resolver upon which to base your GLB decision.
Since you'll be right 90+% of the time, and, only sub-optimal,
not broken the other <10% of the time, it generally works OK.
3. When I worked for Netli, before they were acquired in what I would
call a much less than ethical transaction, we maintained an
exception table for cases where we learned that the DNS
resolver was not topologically proximate to the requestors
that flowed through it. We also spent a fair amount of time
explaining the benefits of having the resolver be topologically
proximate to our customers and their customers.
The Netli system was designed to be quite gentle in the amount of
probing it did, but, we did occasionally get messages from people
with paranoid IDS boxes. Usually, once we explained that our
efforts were directed at improving the quality of service to their
users, and how the system worked and how little traffic we sent
their way to accomplish this, they were happy to reconfigure their
alarm preferences.
I don't have first hand knowledge of anyone elses use of these
kinds of ICMP probes, but, I would say that generally, they are
somewhat useful and mostly harmless.
Owen
More information about the NANOG
mailing list