> * Chuck Anderson:
> > Unfortunately, these sorts of per-IP limiting are going to become more
> > and more inappropriate with the likes of Carrier Grade NATs, since
> > there will be many subscribers sharing a single public IP address.
> > You may end up causing performance problems for legitimate traffic.
On Mon, Jan 16, 2012 at 03:41:15PM +0000, Florian Weimer wrote:
> Fortunately, this is not that relevant because it's not really feasible
> to run largish DNS resolvers behind port-based NAT anyway (in part due
> to source port randomization). 8-)
In article <mailman.880.1326731999.68562.bind-us...@lists.isc.org>,
Chuck Anderson <c...@wpi.edu> wrote:
You miss the point. The DNS server, not behind a NAT, will end up
rate-limiting or blocking clients who ARE behind NATs.
On 16.01.12 14:51, Barry Margolin wrote:
DNS queries don't come directly from clients, they come from caching
servers, aka resolvers. Its those caching servers that shouldn't be
behind NATs.
But clients send DNS queries to those caching servers (or their caching
resolvers) directly, which apparently is what Chuck wanted to say.
If there are more clients behind NAT, you only can block all of them on your
server... you should not block your own clients.
you could of course play with port ranges, we may assume if they are
your clients you could know how the NAT is working...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
