Risks of patched servers behind de-randomizing NAT

Mark Andrews Mark_Andrews at isc.org
Fri Aug 1 07:00:12 UTC 2008


> David Carmean pisze:
> > I seem to have lost a message where somebody from ISC (Paul?) was going to
> > release an updated/new advisory regarding the source-port de-randomizing
> > effects of many NAT implementations will have upon patched servers.  
> 
> But why someone puts a DNS server behind a NAT? It's a bit nonsensical...

	There are lots of reasons to put a recursive server behind
	a NAT.  It's something that just "should work" and does if
	you arn't trying to introduce entroy by randomising ports.

	Note. Not all NATs have bad behaviours in this respect.  Some try
	to preserve the internal port.

	MArk
	
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the bind-users mailing list