Re: [DNSOP] Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 12:04 PM -0400 9/28/07, Joe Abley wrote:
On 28-Sep-2007, at 1136, Paul Hoffman wrote:

It is not "obvious", at least to some of the people I have spoken with. It is also not obvious to VPN vendors; otherwise, they would have easy-to-use settings to make it happen.

I'm surprised by that comment.

I think it's a common use case that organisations who deploy VPNs have split DNS; that is, namespaces available through internal network resolvers that do not appear in the global namespace. In my experience, it is normal for:

- VPN client software to use IP addresses rather than names to establish a secure tunnel with the home network - Local resolver settings on the VPN client's machine to be re-written to use internal home network nameservers while the VPN session is active

That's completely true for remote users who are already using a VPN. In that case, there is no reason for the organization to have a recursive resolver facing outwards.

What was being discussed was setting up a VPN just for getting DNS resolution, not for access to other internal resources. IPsec can be used to create a tunnel to just a single resource if the organization wants the external user to access that resource only.

--Paul Hoffman, Director
--VPN Consortium

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]