[dns-operations] resolvers considered harmful

Tony Finch dot at dotat.at
Thu Oct 23 09:23:27 UTC 2014


Joe Greco <jgreco at ns.sol.net> wrote:
>
> Assuming that the CPE is a NAT (effectively firewalling clients from
> poisoning attacks) and/or that the individual clients have well-
> designed, impervious resolvers is likely to be a fail.

I was under the impression that a common failure of NATs is that they
sometimes defeat source port randomization, so they can make it easier for
an attacker to poison a cache that is behind a NAT than an exposed cache.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly
5 or 6. Slight or moderate. Showers in northwest. Good.



More information about the dns-operations mailing list