Wildcards in reverse DNS
Mark Andrews
Mark_Andrews at isc.org
Fri Jan 5 13:24:42 UTC 2007
> Mark Andrews wrote:
> > For those of you who think NAT's are great try connecting
> > to a port forwarded service from behind a NAT. I've yet
> > to see a NAT box do this right. The NAT box should be
> > able to loop the traffic around. Instead we are forced
> > to kludge solutions to this in the DNS.
>
> No, a *properly* behaving NAT should always allow looping back. If you
> Are runnign a NAT that doesn't allow this, then it is broken. You cannot
> put down NAT just because of broken implimentations.
>
> > Look back through the archive of this list and you will
> > see some of the problems NAT's cause.
>
> Again, bad NAT or improperly configured NAT software/hardware is the
> problem, not NATs in and of them selves, it's a fundemental difference.
NAT is broken by design. It depends upon there being a unique
indentifier in the upper layer protocols to demux the incoming
data stream. No such identifier exist for *all* protocols that
run on top of IPv4.
You can usually get away with it for TCP, UDP and ICMP if you
initiate the connection from inside. If you want to have multiple
servers on the inside you loose out.
> > IPv6 is a significant step forward. It has enough address
> > space the every home can have it's own network with global
> > address for each device in the home if they want.
>
> Yes, but in order to use it you have to turn your network world as you
> se it upside down, and for many it doesn't seem worth all that. I think
> many are just waiting for a much beter soution.
Have you run a IPv6 network?
As long as you can get external IPv6 connectivity (achievable
via tunnels if you ISP doesn't yet support IPv6). You just
enable IPv6 on the machines, add their addresses to the DNS
if they havn't done that themselves and most things just
work.
I don't call that "turning the network upside down".
If you look at the headers of this email you will see
that the outbound mail from my machine at home leaves here
via IPv6.
It just works.
> > There are lots of things you can do when you have a
> > globally routable IP address that you can't do from
> > behind a NAT.
>
> Name one. With properly configured NAT, I've not had one single problem
> routing things between various servers, no matter what they run. A
> proper NAT will allow you to set up routes to services and also allow
> the preservation of ports (other wise ceratin service do indeed break if
> they aren't routed back to an expect port and instead to a
> random-un-priv, etc etc.)
Try running multiple ntp daemons from inside syncing to the
same external time sources. It doesn't work properly. There
is not enough information to demux the replies correctly.
Try running a active FTP client.
Try running a passive FTP server.
Try running multiple servers.
Try running multiple VOIP phones with default configurations.
You have to do a whole lot of workarounds or limit the
available modes.
> It all depends on the implimentation, and if it's behaving correctly.
>
> NAT32e is a good example of how a properly configured NAT should behave.
>
> > Bring on IPv6.
>
> Bring on something better, and more compatible with IPv4, please.
IPv6 is very compatible with IPv4. Just about everything
that works with IPv4 will work with IPv6 provided the
implementations have the socket establishment re-written
to be protocol independent. There are a few exception and
they usually embed IPv4 addresses in the upper layers.
Anything that just does or the equivalent on the client side
will work.
gethostbyname()
socket()
connect() / sendto()
Anything that does just this on the server side will just work.
socket()
bind()
listen() + accept() / recvfrom()
That's the majority of network programs.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list