nanog mailing list archives
Re: Industry best practices (was Re: large organization nameservers
From: Sean Donelan <sean () donelan com>
Date: Sat, 11 Aug 2007 21:04:32 -0400 (EDT)
Followups probably should go to the dnsops mailing list.I got tired of things and went back to the original question, and put together my list of what the "minimum" packets needed for full DNS performance on the modern Internet.
It is the minimum, based on the security principle deny everything, allowonly what is needed. But "needed" is performance based. So it means not relying on fallbacks, timeouts or hoping no one complains. It does not include packets needed for diagnostic or troubleshooting information. It is based on the "modern" Internet so does not included very deprecated packets like Source Quench or unimplemented functions like broadcast DNS
queries.It does include current Internet practices for EDNS, Notify, global DNS load balancers and error handling I've seen in recent, i.e. less than 10 years old, DNS, Router and OS software.
I didn't included TOS/DSCP and some military options, mainly because I'm not sure what "modern" military networks are currently using. If you are using TOS/DSCP or military options, there are some things you will need to add.
<http://www.donelan.com/dnsacl.html> <http://www.donelan.com/dnsacl-min-cisco.html>
Current thread:
- Re: large organization nameservers sending icmp packets to dns servers., (continued)
- Re: large organization nameservers sending icmp packets to dns servers. David Conrad (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 07)
- RE: large organization nameservers sending icmp packets to dns servers. David Schwartz (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 08)
- RE: large organization nameservers sending icmp packets to dns servers. Jason J. W. Williams (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Kevin Oberman (Aug 08)
- Industry best practices (was Re: large organization nameservers sending icmp packets to dns servers) Sean Donelan (Aug 08)
- Re: Industry best practices (was Re: large organization nameservers sending icmp packets to dns servers) Doug Barton (Aug 09)
- Re: Industry best practices (was Re: large organization nameservers Paul Vixie (Aug 09)
- Re: Industry best practices (was Re: large organization nameservers Sean Donelan (Aug 11)
- Re: large organization nameservers sending icmp packets to dns servers. Valdis . Kletnieks (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Patrick W. Gilmore (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Donald Stahl (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Steve Gibbard (Aug 07)
- Re: large organization nameservers sending icmp packets to dns servers. Andrew Sullivan (Aug 07)
- RE: large organization nameservers sending icmp packets to dns servers. Jamie Bowden (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Adrian Chadd (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Joe Abley (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. David Conrad (Aug 08)
- Re: large organization nameservers sending icmp packets to dns servers. Doug Barton (Aug 09)