On 25/02/2014, at 17:55, Roland Dobbins
Transparently redirecting DNS or ntp is hostile & unethical, if not actionable. Setting up policies so that customers must by default use your recursive DNS & ntp setups makes perfect sense, as long as those policies are made clear & as long as 'advanced' customers can opt out.
I assume you mean non-notified transparent redirection. Hostile and unethical are interesting terms to use if customers are informed of the behaviour. Depending on one's customer base, the vast majority of users are likely far more interested in "Can I get a correct answer to DNS questions?" and "Can I sync my clocks to something that looks like the correct time?" than "Can I get an answer from DNS/NTP servers of my choice?" An opt-out policy of "You must use my recursive DNS and NTP infrastructure" (presumably enforced by packet filters) will almost certainly result in more support calls from such a customer base than transparently redirecting the same traffic to (supposedly) known-good servers. That is to say, a filter-enforced policy combined with transparent redirection may make more sense than a filter-enforced policy alone. Doing either without the opt-out component is not something I'd consider a good idea, but as they say, your network, your rules. I did overhear someone mention that transparent snaffling of packets on a network run by an company called End2End was somewhat amusing, though :p Cheers -Mike