I'm not sure I understand this thinking precisely - if Joe Employee has a problem accessing Acme's resources (the bookmarked web page) isn't he likely to seek support from Acme? Even if said attempted access happens from home or a coffee shop, we all know that IT departments wind-up supporting, um, a variety of use scenarios. :-)
I think in your example: 1). Joe will get a 127/8 back and thus probably a connection refused or timeout error at the application layer. 2). Importantly, his traffic will have never left his host, so it almost certainly won't be exposed to sniffing at the open coffee shop wifi or his compromised home router. 3). Importantly, he will have been protected from someone "else" sending him something "else" back in response to his DNS query. 4). Since he's trying to access an Acme employee site, he'll probably call Jane over in IT, who will troubleshoot from there. The error and keeping the traffic on loopback are examples of "failing closed" which is the type of conservatism we wanted to achieve. Of course Joe's query into .home from the coffee shop would never have worked, but this adds a period of safety and determinism that doesn't otherwise exist. And it helps Jane troubleshoot. Does that make sense? Thx, Jeff On 1/10/14 6:26 AM, "Ray Bellis" <[email protected]> wrote: > >On 10 Jan 2014, at 11:28, Stephane Bortzmeyer <[email protected]> wrote: > >> I suspect that, in many cases, the leak comes from systems which are >> not under the direct control of the system administrator. >> >> 1) Jane Sysadmin, who works for Acme Corp, decides (wrongly) to use >> .HOME for the local pseudo-TLD of Acme >> >> 2) Employees of Acme Corp stores bookmarks in their Web browser, some >> bookmarks include ".home/", for instance http://corpinfo.home/ >> >> 3) Joe Employee goes back home with his laptop or pad and selects the >> wrong bookmark. Bang! A DNS request for corpinfo.home is done (and >> elicits a 127.0.53.53 response to the poor Joe). But Jane Sysadmin >> will never see it or heard about it. Even the NSA, monitoring the root >> name servers, will not know that it is related to Acme. > >That's exactly my theory for many of the bad queries to the root, too. > >The other source isn't just bookmarks but links exchanged by email with >references to internal URLs. It happens here, where we often see links >with local (unqualified) hostnames instead of FQDNs. > >Ray > >_______________________________________________ >dns-operations mailing list >[email protected] >https://lists.dns-oarc.net/mailman/listinfo/dns-operations >dns-jobs mailing list >https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
