Defense against a client?
David Miller
dmiller at tiggee.com
Tue Jan 17 05:02:41 UTC 2012
Mark Andrews <marka at isc.org> wrote:
>
>In message <barmar-8F6F85.14511816012012 at news.eternal-september.org>,
>Barry Mar
>golin writes:
>> In article <mailman.880.1326731999.68562.bind-users at lists.isc.org>,
>> Chuck Anderson <cra at WPI.EDU> wrote:
>>
>> > On Mon, Jan 16, 2012 at 03:41:15PM +0000, Florian Weimer wrote:
>> > > * Chuck Anderson:
>> > >
>> > > > Unfortunately, these sorts of per-IP limiting are going to
>become more
>> > > > and more inappropriate with the likes of Carrier Grade NATs,
>since
>> > > > there will be many subscribers sharing a single public IP
>address.
>> > > > You may end up causing performance problems for legitimate
>traffic.
>> > >
>> > > Fortunately, this is not that relevant because it's not really
>feasible
>> > > to run largish DNS resolvers behind port-based NAT anyway (in
>part due
>> > > to source port randomization). 8-)
>> >
>> > You miss the point. The DNS server, not behind a NAT, will end up
>> > rate-limiting or blocking clients who ARE behind NATs.
>>
>> DNS queries don't come directly from clients, they come from caching
>> servers, aka resolvers. Its those caching servers that shouldn't be
>> behind NATs.
>
>Which will more and more be behind CGN especially as DNSSEC take up
>increases.
>
>Mark
>--
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
If one sets up a infrastructure such that a large number of end users "share the same fate" through having the same source address... then one should not be surprised when these end users actually do share the same fate...
-DMM
More information about the bind-users
mailing list