Defense against a client?

Barry Margolin barmar at alum.mit.edu
Mon Jan 16 19:51:18 UTC 2012


In article <mailman.880.1326731999.68562.bind-users at lists.isc.org>,
 Chuck Anderson <cra at WPI.EDU> wrote:

> On Mon, Jan 16, 2012 at 03:41:15PM +0000, Florian Weimer wrote:
> > * Chuck Anderson:
> > 
> > > Unfortunately, these sorts of per-IP limiting are going to become more
> > > and more inappropriate with the likes of Carrier Grade NATs, since
> > > there will be many subscribers sharing a single public IP address.
> > > You may end up causing performance problems for legitimate traffic.
> > 
> > Fortunately, this is not that relevant because it's not really feasible
> > to run largish DNS resolvers behind port-based NAT anyway (in part due
> > to source port randomization). 8-)
> 
> You miss the point.  The DNS server, not behind a NAT, will end up
> rate-limiting or blocking clients who ARE behind NATs.

DNS queries don't come directly from clients, they come from caching 
servers, aka resolvers.  Its those caching servers that shouldn't be 
behind NATs.

-- 
Barry Margolin
Arlington, MA



More information about the bind-users mailing list