On Aug 6, 2007, at 9:13 AM, Leigh Porter wrote:
But why would they care where the nameserver is? Point 2 would seem to be a little stupid a thing to assume. Also, what happens if, at that moment, the ICMP packet is stuck in a queue for a few ms making the shortest route longer.
While point 2 is a bad assertion if you depend completely upon it, it's not necessarily a bad starting point if you have no other data to go on. 1. 90+% of resolvers are topologically proximate to either the requestor, or, the requestors NAT box that you will have to talk to anyway. 2. At the GLB level, you really don't have any data other than the IP address of the resolver upon which to base your GLB decision. Since you'll be right 90+% of the time, and, only sub-optimal, not broken the other <10% of the time, it generally works OK. 3. When I worked for Netli, before they were acquired in what I would call a much less than ethical transaction, we maintained an exception table for cases where we learned that the DNS resolver was not topologically proximate to the requestors that flowed through it. We also spent a fair amount of time explaining the benefits of having the resolver be topologically proximate to our customers and their customers. The Netli system was designed to be quite gentle in the amount of probing it did, but, we did occasionally get messages from people with paranoid IDS boxes. Usually, once we explained that our efforts were directed at improving the quality of service to their users, and how the system worked and how little traffic we sent their way to accomplish this, they were happy to reconfigure their alarm preferences. I don't have first hand knowledge of anyone elses use of these kinds of ICMP probes, but, I would say that generally, they are somewhat useful and mostly harmless. Owen