Defense against a client?
Mark Andrews
marka at isc.org
Tue Jan 17 00:23:20 UTC 2012
In message <barmar-8F6F85.14511816012012 at news.eternal-september.org>, Barry Mar
golin writes:
> In article <mailman.880.1326731999.68562.bind-users at lists.isc.org>,
> Chuck Anderson <cra at WPI.EDU> wrote:
>
> > On Mon, Jan 16, 2012 at 03:41:15PM +0000, Florian Weimer wrote:
> > > * Chuck Anderson:
> > >
> > > > Unfortunately, these sorts of per-IP limiting are going to become more
> > > > and more inappropriate with the likes of Carrier Grade NATs, since
> > > > there will be many subscribers sharing a single public IP address.
> > > > You may end up causing performance problems for legitimate traffic.
> > >
> > > Fortunately, this is not that relevant because it's not really feasible
> > > to run largish DNS resolvers behind port-based NAT anyway (in part due
> > > to source port randomization). 8-)
> >
> > You miss the point. The DNS server, not behind a NAT, will end up
> > rate-limiting or blocking clients who ARE behind NATs.
>
> DNS queries don't come directly from clients, they come from caching
> servers, aka resolvers. Its those caching servers that shouldn't be
> behind NATs.
Which will more and more be behind CGN especially as DNSSEC take up
increases.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list