Defense against a client?
Chuck Anderson
cra at WPI.EDU
Mon Jan 16 16:39:41 UTC 2012
On Mon, Jan 16, 2012 at 03:41:15PM +0000, Florian Weimer wrote:
> * Chuck Anderson:
>
> > Unfortunately, these sorts of per-IP limiting are going to become more
> > and more inappropriate with the likes of Carrier Grade NATs, since
> > there will be many subscribers sharing a single public IP address.
> > You may end up causing performance problems for legitimate traffic.
>
> Fortunately, this is not that relevant because it's not really feasible
> to run largish DNS resolvers behind port-based NAT anyway (in part due
> to source port randomization). 8-)
You miss the point. The DNS server, not behind a NAT, will end up
rate-limiting or blocking clients who ARE behind NATs.
More information about the bind-users
mailing list