Re: increasing DNS message entropy, a solution for NATs
On Thu, Jul 31, 2008 at 10:21:50AM +0100, [email]Ray.Bellis@nominet.org.uk[/email] wrote:[color=blue][color=green]
> > Ok, so problem solved as far as I can see, someone just needs to tell
> > hardware companies to fix NAT + DNS and that's that.[/color]
> Actually there's stacks of other stuff that the router manufacturers need
> to fix relating to DNS, particularly w.r.t the DNS proxies contained in
> most CPE:
> - tcp/53 support - currently almost non-existent
> - DNSSEC support - some mfrs block DNSSEC queries
> - EDNS0 - many DNS proxies can't do UDP fragment reassembly
> - open udp/53 ports on the WAN interface
> - probable "poor" PRNGs for port and QID selection (c.f. Ben's blog
> There's going to be a report published fairly soon containing the results
> of a joint study between myself and a US-based researcher detailing which
> routers have various deficiencies.
as long as your going to point fingers, jumbograms in general
get the short shrift. 4k UDP... 9k large frame... don't fit
nicely in a SoHo device.
Make sure you use/refer to David Piscatellos excellent study of
to unsubscribe send a message to [email]email@example.com[/email] with
the word 'unsubscribe' in a single line as the message text body.