Re: [DNSOP] Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [DNSOP] Re: Last Call: draft-ietf-dnsop-reflectors-are-evil (Preventing Use of Recursive Nameservers in Reflector Attacks) to BCP
On Fri, 28 Sep 2007, Joe Abley wrote:
> I'm surprised by that comment.
>
> I think it's a common use case that organisations who deploy VPNs have split
> DNS; that is, namespaces available through internal network resolvers that do
> not appear in the global namespace. In my experience, it is normal for:
>
> - VPN client software to use IP addresses rather than names to establish a
> secure tunnel with the home network
If you are a worldwide organisation, you want to connect to the nearest
VPN point, and not your "home vpn point". This is done by customising
DNS answers (eg bind views or akamai like setups). The last thing I want
is for my Dutch branch, to connect me to the company vpn in The Netherlands,
when I'm in the US, crossing the atlantic twice.
You only start to use the internal company's DNS server, after you have
connected to the VPN - if only to resolve internal network only machines.
Paul
_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf
Note Well: Messages sent to this mailing list are the opinions
of the senders and do not imply endorsement by the IETF.
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
