On Thu, Jul 31, 2008 at 10:21:50AM +0100, Ray.Bellis@nominet.org.uk wrote:
> > Ok, so problem solved as far as I can see, someone just needs to tell
> > hardware companies to fix NAT + DNS and that's that.

>
> Actually there's stacks of other stuff that the router manufacturers need
> to fix relating to DNS, particularly w.r.t the DNS proxies contained in
> most CPE:
>
> - tcp/53 support - currently almost non-existent
> - DNSSEC support - some mfrs block DNSSEC queries
> - EDNS0 - many DNS proxies can't do UDP fragment reassembly
> - open udp/53 ports on the WAN interface
> - probable "poor" PRNGs for port and QID selection (c.f. Ben's blog
> article)
>
> There's going to be a report published fairly soon containing the results
> of a joint study between myself and a US-based researcher detailing which
> routers have various deficiencies.
>
> Ray
>


as long as your going to point fingers, jumbograms in general
get the short shrift. 4k UDP... 9k large frame... don't fit
nicely in a SoHo device.

Make sure you use/refer to David Piscatellos excellent study of
firewalls.


--bill


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: