David Carmean wrote:
> I seem to have lost a message where somebody from ISC (Paul?) was going to
> release an updated/new advisory regarding the source-port de-randomizing
> effects of many NAT implementations will have upon patched servers.

I don't know what Paul (or whoever) was going to say, but I'll say the
following:

If I can get your nameserver to resolve a specific query (consider, as
Evan said earlier, an e-mail with a link in it that someone in your
organization might click on), and that query is from a device that shows
up on the Internet as a resolver with non-random source ports, I may
very well be able to poison your cache.

Consider that there are other ways to force "internal" servers to do
predictable outbound queries (think about the SMTP protocol for a moment)...

Randomize the port numbers.

Please.

AlanC