On 25/02/2014, at 17:55, Roland Dobbins <rdobbins(a)arbor.net> wrote:
Transparently redirecting DNS or ntp is hostile &
unethical, if not actionable. Setting up policies so that customers must by default use
your recursive DNS & ntp setups makes perfect sense, as long as those policies are
made clear & as long as 'advanced' customers can opt out.
I assume you mean non-notified transparent redirection. Hostile and unethical are
interesting terms to use if customers are informed of the behaviour.
Depending on one's customer base, the vast majority of users are likely far more
interested in "Can I get a correct answer to DNS questions?" and "Can I
sync my clocks to something that looks like the correct time?" than "Can I get
an answer from DNS/NTP servers of my choice?"
An opt-out policy of "You must use my recursive DNS and NTP infrastructure"
(presumably enforced by packet filters) will almost certainly result in more support calls
from such a customer base than transparently redirecting the same traffic to (supposedly)
That is to say, a filter-enforced policy combined with transparent redirection may make
more sense than a filter-enforced policy alone.
Doing either without the opt-out component is not something I'd consider a good idea,
but as they say, your network, your rules. I did overhear someone mention that transparent
snaffling of packets on a network run by an company called End2End was somewhat amusing,