Wildcards in reverse DNS
savagebeaste at yahoo.com
Fri Jan 5 19:24:06 UTC 2007
Edward Lewis wrote:
> At 0:24 +1100 1/6/07, Mark Andrews wrote:
>> NAT is broken by design. It depends upon there being a unique
>> indentifier in the upper layer protocols to demux the incoming
>> data stream. No such identifier exist for *all* protocols that
>> run on top of IPv4.
> I don't really agree with that. Many protocols were built without
> unique identifiers, such as DNS, assuming they could rely on IP
> addresses and port numbers.
I'm just curious, what sort of problems does DNS have behind NAT in your
experience? I'm running Bind 9 behind a NAT that both manages a couple
domains I own and acts as the main DNS server for my tiny network, thus
queries going either way - seeking athorative answeres for the domains I
own, and the other way seeking google.com, etc - without any problems.
I just simply aware people had so much trouble. NAT32e seems to handle
NATing very well IMHO. Maybe it's the fact it has the ability to
preserve port numbers properly for internal servers that seperates it
from many of the broken NATs out there.
In other words, for example, my DNS server's randomly allocated query
port (current 33595) on it's local interface (192.168.1.4) send
something to the outside, NAT32e will attempt to allocate the same port
nubmer (if possible) itself (I can clear see this in it's status page,
that "0.0.0.0:33595" is currently allocated) where as most would use
random port instead. This is probably why I don't really have the kind
of problems I've seen desribed in this thread reguarding NAT. It seem to
all come down to *what* NAT you're using.
>> IPv6 is very compatible with IPv4. Just about everything
>> that works with IPv4 will work with IPv6 provided the
>> implementations have the socket establishment re-written
>> to be protocol independent. There are a few exception and
>> they usually embed IPv4 addresses in the upper layers.
> Provided everything is "re-written" to me indicates that there isn't
> compatibility. It's like saying any American can travel easily
> through China once you learn Chinese. (I.e., learning Chinese for an
> American is a lot of work, it can be done but it takes a lot of
> Again, I am not saying IPv6 is bad. Just don't over sell it. IPv6
> takes work. Probably the work will payoff - I can't say for sure
> myself. The fact is that the Internet needs more addresses than IPv4
> can offer and IPv6 can fill the void. But IPv6 still has routing
> issues. That's why I can only say "probably" pay off.
What I think could be a solution would be to have IPv6 became the main
protocol, with IPv4 transparrently "existing" within it, so to speak,
for backwards compatibility, I'd imagine no programs that rely on IPv4
would have to be rewritten.
Say every ISP in the world just switches over to IPv6. Existing Internet
(IPv4) IPs could be preserved and transported in the IPv6 layer, while
your "true" internet address becomes an IPv6 address. Teh IPv4 would
then exist inside of IPv4, in sort of the way an IP Packet exists inside
of an Ethernet Packet - each level Ethernet, IP), has it's own
respective set of Src and Dest addresses. I see no reason why this
wouldn't be possible to encapsulate IPv4 inside of IPv6 packets in the
In fact, I'm actually suprised the designers of IPv6 didn't do this.
(Well, if they actually did, then I apologize, though I can find no info
More information about the bind-users