A DNS flag day

Posted Jan 26, 2019 23:29 UTC (Sat) by marcH (subscriber, #57642)
In reply to: A DNS flag day by biergaizi
Parent article: A DNS flag day

> 4.1. Fail Fast and Hard
> Protocols need to include error reporting mechanisms that ensure
> errors are surfaced in a visible and expedient fashion.

Hi, firewalls!

Is there any big company where the IT department can be made accountable for severe losses of productivity? Curious whether they have any job offers right now.

A DNS flag day

Posted Jan 27, 2019 10:30 UTC (Sun) by mpr22 (subscriber, #60784) [Link]

Define "made accountable".

Ideally, in a way that still makes people want to work in that IT department.

A DNS flag day

Posted Jan 29, 2019 23:51 UTC (Tue) by intgr (subscriber, #39733) [Link] (2 responses)

> Hi, firewalls!

This!

ICMP provides a perfectly good mechanism to report back forbidden packets. But for some odd reason it's considered best practice to instead blackhole disallowed packets.

In more than one case, a missing firewall rule and the blackhole approach together turned a simple mistake into a cascading failure of multiple systems waiting for timeouts.

A DNS flag day

Posted Feb 5, 2019 15:22 UTC (Tue) by JFlorian (guest, #49650) [Link] (1 responses)

My understanding of this is that it's all about information disclosure. In other words, it's best practice to fail hard with ICMP forbidden on internal facing connections, but to silently drop on external ones. Is there a strong argument that ICMP forbidden in both directions doesn't really present any additional risk? I certainly get the advantages (I've been caught out by my own firewall rules more times than I can count), but the disadvantages can be of the type you don't know until you've been burned.

A DNS flag day

Posted Feb 5, 2019 16:45 UTC (Tue) by nybble41 (subscriber, #55106) [Link]

Assuming they already know your assigned IP range, does always responding to incoming connections with ICMP forbidden (including for unknown internal IPs) really leak significantly more information than silently dropping the packets?