Wildcards in reverse DNS

Fri Jan 5 19:24:06 UTC 2007

Edward Lewis wrote:
> At 0:24 +1100 1/6/07, Mark Andrews wrote:
>
>> NAT is broken by design.  It depends upon there being a unique
>> indentifier in the upper layer protocols to demux the incoming
>> data stream.  No such identifier exist for *all* protocols that
>> run on top of IPv4.
>
> I don't really agree with that.  Many protocols were built without
> unique identifiers, such as DNS, assuming they could rely on IP
> addresses and port numbers.

I'm just curious, what sort of problems does DNS have behind NAT in your 
experience? I'm running Bind 9 behind a NAT that both manages a couple 
domains I own and acts as the main DNS server for my tiny network, thus 
queries going either way - seeking athorative answeres for the domains I 
own, and the other way seeking google.com, etc - without any problems.

I just simply aware people had so much trouble. NAT32e seems to handle 
NATing very well IMHO. Maybe it's the fact it has the ability to 
preserve port numbers properly for internal servers that seperates it 
from many of the broken NATs out there.

In other words, for example, my DNS server's randomly allocated query 
port (current 33595) on it's local interface (192.168.1.4) send 
something to the outside, NAT32e will attempt to allocate the same port 
nubmer (if possible) itself (I can clear see this in it's status page, 
that "0.0.0.0:33595" is currently allocated) where as most would use 
random port instead. This is probably why I don't really have the kind 
of problems I've seen desribed in this thread reguarding NAT. It seem to 
all come down to *what* NAT you're using.

[...]
>> IPv6 is very compatible with IPv4.  Just about everything
>> that works with IPv4 will work with IPv6 provided the
>> implementations have the socket establishment re-written
>> to be protocol independent.  There are a few exception and
>> they usually embed IPv4 addresses in the upper layers.
>
> Provided everything is "re-written" to me indicates that there isn't
> compatibility.  It's like saying any American can travel easily
> through China once you learn Chinese.  (I.e., learning Chinese for an
> American is a lot of work, it can be done but it takes a lot of
> dedication.)
>
> Again, I am not saying IPv6 is bad.  Just don't over sell it.  IPv6
> takes work.  Probably the work will payoff - I can't say for sure
> myself.  The fact is that the Internet needs more addresses than IPv4
> can offer and IPv6 can fill the void.  But IPv6 still has routing
> issues.  That's why I can only say "probably" pay off.

What I think could be a solution would be to have IPv6 became the main 
protocol, with IPv4  transparrently "existing" within it, so to speak, 
for backwards compatibility, I'd imagine no programs that rely on IPv4 
would have to be rewritten.

Say every ISP in the world just switches over to IPv6. Existing Internet 
(IPv4) IPs could be preserved and transported in the IPv6 layer, while 
your "true" internet address becomes an IPv6 address. Teh IPv4 would 
then exist inside of IPv4, in sort of the way an IP Packet exists inside 
of an Ethernet Packet - each level Ethernet, IP), has it's own 
respective set of Src and Dest addresses. I see no reason why this 
wouldn't be possible to encapsulate IPv4 inside of IPv6 packets in the 
same manner.

In fact, I'm actually suprised the designers of IPv6 didn't do this. 
(Well, if they actually did, then I apologize, though I can find no info 
on that.) 