[dns-operations] DNS prefetching, DLV and cheap NAT router state table overflow
Paul Vixie
vixie at isc.org
Sat Oct 2 04:13:16 UTC 2010
> From: Florian Weimer <fw at deneb.enyo.de>
> Date: Fri, 01 Oct 2010 10:23:03 +0200
>
> > This seems to make matters worse because XYZ generates more UDP
> > flows as a result. (If Unbound aborts the query, the corresponding
> > state does not magically disappear from the NAT device.)
>
> Eh, sorry, I think I understand now. I've bumped the timeout way up
> (in order to prevent this process from kicking in), but that doesn't
> seem to help. I've also set num-queries-per-thread to 10 (I'm running
> just one thread). Of course, this opens another DoS vector. 8-/
i wonder if we'll go down a path of crippling innovation in DNS and other
protocols due to the likely presence of NAT in the path, or whether we'll
somehow get the NAT industry to clean up its products (and installed base).
More information about the dns-operations
mailing list