[dns-operations] resolvers considered harmful
Tony Finch
dot at dotat.at
Thu Oct 23 09:23:27 UTC 2014
Joe Greco <jgreco at ns.sol.net> wrote:
>
> Assuming that the CPE is a NAT (effectively firewalling clients from
> poisoning attacks) and/or that the individual clients have well-
> designed, impervious resolvers is likely to be a fail.
I was under the impression that a common failure of NATs is that they
sometimes defeat source port randomization, so they can make it easier for
an attacker to poison a cache that is behind a NAT than an exposed cache.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly
5 or 6. Slight or moderate. Showers in northwest. Good.
More information about the dns-operations
mailing list