Mark Andrews <ma...@isc.org> wrote:
> >In message <barmar-8f6f85.14511816012...@news.eternal-september.org>, >Barry Mar >golin writes: >> In article <mailman.880.1326731999.68562.bind-us...@lists.isc.org>, >> Chuck Anderson <c...@wpi.edu> wrote: >> >> > On Mon, Jan 16, 2012 at 03:41:15PM +0000, Florian Weimer wrote: >> > > * Chuck Anderson: >> > > >> > > > Unfortunately, these sorts of per-IP limiting are going to >become more >> > > > and more inappropriate with the likes of Carrier Grade NATs, >since >> > > > there will be many subscribers sharing a single public IP >address. >> > > > You may end up causing performance problems for legitimate >traffic. >> > > >> > > Fortunately, this is not that relevant because it's not really >feasible >> > > to run largish DNS resolvers behind port-based NAT anyway (in >part due >> > > to source port randomization). 8-) >> > >> > You miss the point. The DNS server, not behind a NAT, will end up >> > rate-limiting or blocking clients who ARE behind NATs. >> >> DNS queries don't come directly from clients, they come from caching >> servers, aka resolvers. Its those caching servers that shouldn't be >> behind NATs. > >Which will more and more be behind CGN especially as DNSSEC take up >increases. > >Mark >-- >Mark Andrews, ISC >1 Seymour St., Dundas Valley, NSW 2117, Australia >PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org If one sets up a infrastructure such that a large number of end users "share the same fate" through having the same source address... then one should not be surprised when these end users actually do share the same fate... -DMM _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
