[CentOS] DNS forwarding vs recursion

Mon Apr 1 19:11:08 UTC 2013
Michael H. Warfield <mhw at WittsEnd.com>

On Mon, 2013-04-01 at 11:17 -0700, John R Pierce wrote:
> On 4/1/2013 6:11 AM, Michael H. Warfield wrote:
> > it's also very important to implement BCP (Best Common Practice) 38.
> > BCP 38 recommends router egress filtering.  That is, you only route out
> > what will route back in.  That prevents you (or any of your customers)
> > from being a spoofing source.

> of course, this breaks a bunch of types of ad-hoc multihoming, where you 
> have multiple ISPs, each with their own subnets, and you're trying to 
> load balance your outbound traffic.

It doesn't have to and it's just as easy to argue that stateful
firewalls also break such configurations (they do).  It is possible to
interface your load leveling and dynamic routing into your filter if
it's done properly.  The point there is that you have to do it properly
up front.  Once it's done, it should require little maintenance.
Unfortunately, if you have to go back into an established architecture
and retrofit one in, that can be a difficult and time consuming
prospect, especially if you didn't design the network to begin with.

If you're dealing with multihoming and multiple ISPs then you should be
talking BGP (or IS-IS) to your ISPs (I have my own ASN and advertise my
own routes on IPv4 and IPv6 but you can use private ASNs and many ISPs
will cooperate if you have the address space to advertise) and it should
all be integrated.

If you are trying to do ad-hoc mutihoming without using BGP or IS-IS to
manage the routing to your ISPs, then I have no sympathy for you.
That's just inviting a never ending stream of self-inflicted trouble and
grief when routing breaks (been there, done that, not pretty).  Being
abused for DNS amplification attacks is the least of your problems then.
Once we had multiple connections to the same ISP (redundant fiber links
running in different directions out the street outside of our building)
we were running BGP to manage it.

But I also understand that in many large organizations (particularly
ones who are NOT ISPs and their primary business is not networking) much
of the IT staff is even more terrified of BGP than they are DNS and
probably for good reasons.

That's a statement from personal experience.  Years ago, I asked for a
"read-only BGP" feed from our IT department way back then (10 or 15
years ago) and got a "not no - hell no - are you insane?" answer.  Their
reasoning was that they trusted me (as if they had a choice) but they
didn't trust all of their mainline minions (err, staff) to stick their
fingers in those routers.  BGP is so critical to those who rely on it
(especially if you are multihomed) that, if someone makes even a minor
mistake, it can disasterously disconnect you from the net or worse.
Unfortunately, even worse than DNS, once it's working people
(management) want you to LEAVE IT ALONE lest you beak it.  So, most IT
people are even less familiar with BGP than DNS and plenty are scared
shitless about breaking DNS.

DNS itself can be just as bad.  Simple mistakes can be amplified and
obfuscated.  Just ask Microsoft.  They got dropped off the net for days
several years ago after someone misconfigured a firewall so their slaves
couldn't talk to their master and the TTL (Time To Live) expired several
hours after the guilty party was off duty and had gone home.  On top of
that, they had all their public name servers on the same subnet
(violation of several BCPs going back decades) compounding the problem
AND opening them up to a DOS against the router leading into that
subnet.

We (IETF, IEEE, ACM, etc al) can publish and update BCPs but it doesn't
mean people will follow them.  It does mean that we can say "we told you
not to do that..." after it breaks.  You pays your nickel and you takes
your chance.  :-/

> -- 
> john r pierce                                      37N 122W
> somewhere on the middle of the left coast

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20130401/4232fedf/attachment-0005.sig>