On 18/10/12 13:54, Simon Lyall wrote:
On Wed, 17 Oct 2012, Don Stokes wrote:
If they properly separated their authoritative name service from their caching forwarders, this wouldn't be a problem.
Last discussed 6 months ago...
http://list.waikato.ac.nz/pipermail/nznog/2012-March/018981.html
Yep, and if they're still doing it, they're still clueless fracking idiots. The same principle actually applies to mail servers too (assuming Pete Mundy's assessment of the problem is correct, which is highly likely). You should have separate inbound and outbound mail servers. The inbound servers should handle all mail (and filter it) and only handle mail from random outside senders to known internal users (no relaying of any sort except as explicitly configured). The outbound servers should be the opposite; they relay mail from known internal users only, deal with local abuse (a different problem set to handling external abuse), and have no knowledge whatsoever about the destinations. They "ask the Internet." No "short-cutting" between the outbound service and the inbound service. If you do that, stale configuration stops being a (major) problem. A bunch of other problems (especially around abuse filtering) go away too. -- don