[dns-operations] DNS prefetching, DLV and cheap NAT router state table overflow

Florian Weimer fw at deneb.enyo.de
Sun Oct 3 10:59:57 UTC 2010

* Paul Vixie:

>> Eh, sorry, I think I understand now.  I've bumped the timeout way up
>> (in order to prevent this process from kicking in), but that doesn't
>> seem to help.  I've also set num-queries-per-thread to 10 (I'm running
>> just one thread).  Of course, this opens another DoS vector. 8-/
> i wonder if we'll go down a path of crippling innovation in DNS and other
> protocols due to the likely presence of NAT in the path, or whether we'll
> somehow get the NAT industry to clean up its products (and installed base).

It's called IPv6. 8-)  IPv6 NAT wouldn't require per-flow state.

I wonder if throwing just more RAM into the box would magically fix
this problem.  For now, I'm switching off Unbound's referral path
hardening, which seems to be the major source of infrastructure
queries (second is DLV).

