That it really secondary, but in this particular case, our own internal nameservers did not provide the expected results - using others to verify is a normal part of diagnosing an issue.
You verified that it's an issue with our internal nameservers using your client, which I acknowledged. I apologize there is an issue with our internal nameservers, but it is a problem that needs to be solved and not worked around.
Georg, how about presenting the "legitimate requirement" for this rule, this overly zealous egress filtering? We didn't have it before, why do we have it now?
I do not agree with your definition of "overly zealous". Whitelisting ...
- is a common network security practice to facilitate granting the least access possible. I applied the principle from our mother infrastructure which follows a thorough security design.
- makes auditing easier - a network operator can tell legitimate from malicious traffic apart by being able to map all traffic to documented traffic rules.
- helps us keeping the public IP space, which is associated with our name, clean. We are responsible for not generating any abusive outbound traffic.
So far, I am not aware of any hard complaints, all legitimate requirements were fulfilled to the requesters satisfaction.
I understand you are used to arbitrary network access on arbitrary hosts from the past setup, and I understand the change requires some adjustment with troubleshooting certain situations. I see this adjustment as a positive, as it makes administrators think about the commands they execute on a system more. Does one really need to install arbitrary debugging tools and connect to various internet servers from a production machine? Generally debugging tools can be called from an administrative workstation - in this particular case, as you have successfully done, using your own internet connected client. In other cases, where internal services need to be validated, from an administrative bastion. If it is really needed to execute such debugging activity from a production machine, the needful can be temporarily permitted.
I would also like to point out that everyone was given the opportunity to attend the meetings in which the network design was introduced and discussed.