IPv6 teredo blackout June 8th
Erik Kline
ek at google.com
Thu Feb 3 12:19:37 CET 2011
On 3 February 2011 04:52, Brandon Butterworth <brandon at bogons.net> wrote:
>> Some windows platforms have teredo enabled by default.
>
> I never understood why that would be a good plan, the aim
> is to get people doing native not deploying tunnels where
> they're not intended to be
>
>> Thoughts and mitigation?
>
> Get MS to deploy a default off in the next patch cycle (just missed the
> IE biggie) or make teredo not try. Not tested this myself -
>
> "Block name resolution of the Teredo DNS host name, which
> by default on computers running Windows 7 is teredo.ipv6.microsoft.com"
>
> if you're lucky enough to control their DNS
>
> brandon
>
Your recursive resolvers could be configured to be (falsely)
authoritative for ipv6.microsoft.com with an empty zone, and then they
would hand out NXDOMAINs for anything in there. Would work for your
local area. Probably not a good idea for an ISPs resolvers that
customers use, though.
More information about the ipv6-ops
mailing list