Risks of patched servers behind de-randomizing NAT
Evan Hunt
Evan_Hunt at isc.org
Thu Jul 31 21:16:47 UTC 2008
> But why someone puts a DNS server behind a NAT? It's a bit nonsensical...
Not at all. I run a recursive validating resolver on my laptop, and
it's always behind a NAT, whether I'm at home or at a coffee shop--how
else? I also have a dedicated resolver behind my home NAT; with eight
computers on my home network, and $75/year for each additional IP address,
it makes sense (to me, anyway) to do things that way.
Yesterday I discovered that the router I'm using at home was reassigning
BIND's nicely randomized ports into a very predictable pattern. I upgraded
the firmware and the situation is improved; now the ports are reassigned to
pseudorandom values--but I know nothing about the quality of the PRNG.
I'll be happier when I replace the router.
--
Evan Hunt -- evan_hunt at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list