> Can we get a reading from Those Who Know about how likely it is that
> BadGuys can trick a client inside such a firewall to facilitate an attack
> against an internal recursive server (said server can query through the
> firewall).


Hey, all you guys inside the firewall--you should totally click on this
hilarious URL! http://www.evilwebpage.tld

It's pretty much that easy. Someone clicks, queries go out, answers
come back--and some of the answers are going to be poisoned.

A NAT router that obscures unpredictable source ports and reassigns
them to predictable ones is eliminating the best defense we have.

--
Evan Hunt -- evan_hunt@isc.org
Internet Systems Consortium, Inc.