[AusNOG] urlscan.io
Mark Delany
g2x at juliet.emu.st
Sat Jun 17 12:44:28 EST 2017
> >> DNS does not provide the sort of intelligence necessary to direct
> >> requests to the most appropriate server
> > Huh? A DNS can be as intelligent as it wants to be.
> +1. For example, EDNS =
> <https://ripe67.ripe.net/presentations/206-L-dnswg-Streibelt-ClientIP.pdf>
Certainly edns client-subnet improves accuracy for multi-region ISPs
and clients which use public resolvers. But really that's just a
better input into the intelligent answer generation process of an
auth.
Unfortunately support is not wide-spread and the most popular open
resolvers (namely google and opendns) require whitelisting before they
will present the option to auths. That's a bit of a hurdle.
One complaint I hear from ISPs is that client-subnet puts a lot more
memory pressure on their caches - which makes sense. And of course
there are very few cache implementations anyway, either open source or
commercial. For both reasons, resolver-side support is not very
wide-spread yet.
So, all in all client-subnet is useful, but higher adoption would be
nice.
Going a little OT, one of the more intriguing aspects of client-subnet
is that it help DNS queries go dark. What with DNS over HTTPS, google
already running a public resolver and Apple announcing a DNS provider
framework in iOS11, it's not beyond imagination that the major mobile
OSes might well support tunnelling DNS queries to a "trusted" resolver
in the not-to-distant future and leave local ISPs and meddling
governments out of the loop.
In this content, client-subnet lets GSLB perform accurately even when
the query is issued from a possibly distant resolver. Otherwise,
tunnelling queries can have way sub-optimal results when interacting
with GSLBs.
As an aside, a more recent reference is https://tools.ietf.org/html/rfc7871
Mark.
More information about the AusNOG
mailing list