Adding DNS ALG support to Bind?

Dave Warren davew at
Tue Nov 3 02:48:36 UTC 2015

On 2015-11-02 15:03, Carl Byington wrote:
> Hash: SHA1
> On Fri, 2015-10-30 at 12:38 -0400, Bill wrote:
>> >What I would like to do to have the ability to query a DNS server
>> >located behind a NAT, and have it return the IP of the NAT, and setup
>> >connection tracking in the NAT to pass traffic thru to the host behind
>> >the NAT.
> I think that is a bad idea, even if you can get it implemented and
> working.
> If I know the names of your hosts (they will eventually be found via
> google or other searches), then I can remotely reconfigure your NAT
> device to allow my attack traffic thru - and all it takes is a simple
> UDP query to your dns server.

And? NAT != firewall. Your firewall would still need to be configured to 
permit such a connection, and presumably your NAT environment would need 
to be configured to allow it as well.

If that's not desired, one would probably not enable this functionality.

Dave Warren

More information about the bind-users mailing list