In message <barmar-8f6f85.14511816012...@news.eternal-september.org>, Barry Mar golin writes: > In article <mailman.880.1326731999.68562.bind-us...@lists.isc.org>, > Chuck Anderson <c...@wpi.edu> wrote: > > > On Mon, Jan 16, 2012 at 03:41:15PM +0000, Florian Weimer wrote: > > > * Chuck Anderson: > > > > > > > Unfortunately, these sorts of per-IP limiting are going to become more > > > > and more inappropriate with the likes of Carrier Grade NATs, since > > > > there will be many subscribers sharing a single public IP address. > > > > You may end up causing performance problems for legitimate traffic. > > > > > > Fortunately, this is not that relevant because it's not really feasible > > > to run largish DNS resolvers behind port-based NAT anyway (in part due > > > to source port randomization). 8-) > > > > You miss the point. The DNS server, not behind a NAT, will end up > > rate-limiting or blocking clients who ARE behind NATs. > > DNS queries don't come directly from clients, they come from caching > servers, aka resolvers. Its those caching servers that shouldn't be > behind NATs.
Which will more and more be behind CGN especially as DNSSEC take up increases. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
