Defense against a client?
Matus UHLAR - fantomas
uhlar at fantomas.sk
Tue Jan 17 08:53:19 UTC 2012
>> > * Chuck Anderson:
>> > > Unfortunately, these sorts of per-IP limiting are going to become more
>> > > and more inappropriate with the likes of Carrier Grade NATs, since
>> > > there will be many subscribers sharing a single public IP address.
>> > > You may end up causing performance problems for legitimate traffic.
>> On Mon, Jan 16, 2012 at 03:41:15PM +0000, Florian Weimer wrote:
>> > Fortunately, this is not that relevant because it's not really feasible
>> > to run largish DNS resolvers behind port-based NAT anyway (in part due
>> > to source port randomization). 8-)
>In article <mailman.880.1326731999.68562.bind-users at lists.isc.org>,
> Chuck Anderson <cra at WPI.EDU> wrote:
>> You miss the point. The DNS server, not behind a NAT, will end up
>> rate-limiting or blocking clients who ARE behind NATs.
On 16.01.12 14:51, Barry Margolin wrote:
>DNS queries don't come directly from clients, they come from caching
>servers, aka resolvers. Its those caching servers that shouldn't be
>behind NATs.
But clients send DNS queries to those caching servers (or their caching
resolvers) directly, which apparently is what Chuck wanted to say.
If there are more clients behind NAT, you only can block all of them on your
server... you should not block your own clients.
you could of course play with port ranges, we may assume if they are
your clients you could know how the NAT is working...
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.
More information about the bind-users
mailing list