Blackhole DNS
Nate Campi
nate at wired.com
Thu Feb 21 23:05:33 UTC 2002
On Thu, Feb 21, 2002 at 02:27:48PM -0800, Nate Campi wrote:
>
> Backbone routers should/would/will not route RFC1918 IPs so if you don't
> have any local IPs like that, a server should never see them, and not
> need to resolve them.
Len pointed out that the actual backbone routers are too close to
capacity to apply ACLs to the packets.
My local router jockey tells me that:
"Most ACL's need to be done at the distibution layer or edge devices.
This is because the backbone equipment of today like the Cisco 12000
and stuff is so close to wire speed that in nearly falls over when you
introduce an ACL because every packet then has to go through the CPU.
Blocking 1918 addresses is easily done with route filters as well,
instead of acls. This could be done at the backbone in the BGP config."
My original statement that public servers should not see RFC1918 IPs
still applies, the question is simple where/how/when the
filtering/blocking of said IPs is done.
Thanks Len.
--
Nate Campi Job: hostmaster at lycos.com and root at wired.com
"ASCII stupid question, get a stupid ANSI !"
More information about the bind-users
mailing list