Risks of patched servers behind de-randomizing NAT

[Evan Hunt]

> But why someone puts a DNS server behind a NAT? It's a bit nonsensical...

Not at all.  I run a recursive validating resolver on my laptop, and
it's always behind a NAT, whether I'm at home or at a coffee shop--how
else?  I also have a dedicated resolver behind my home NAT; with eight
computers on my home network, and $75/year for each additional IP address,
it makes sense (to me, anyway) to do things that way.

Yesterday I discovered that the router I'm using at home was reassigning
BIND's nicely randomized ports into a very predictable pattern.  I upgraded
the firmware and the situation is improved; now the ports are reassigned to
pseudorandom values--but I know nothing about the quality of the PRNG.

I'll be happier when I replace the router.

-- 
Evan Hunt -- evan_hunt at isc.org
Internet Systems Consortium, Inc.