Re: Risks of patched servers behind de-randomizing NAT
> David Carmean pisze:[color=green]
> > I seem to have lost a message where somebody from ISC (Paul?) was going to
> > release an updated/new advisory regarding the source-port de-randomizing
> > effects of many NAT implementations will have upon patched servers.[/color]
> But why someone puts a DNS server behind a NAT? It's a bit nonsensical...[/color]
There are lots of reasons to put a recursive server behind
a NAT. It's something that just "should work" and does if
you arn't trying to introduce entroy by randomising ports.
Note. Not all NATs have bad behaviours in this respect. Some try
to preserve the internal port.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email]Mark_Andrews@isc.org[/email]