--On Wednesday, 15 October, 2003 11:58 -0400 Keith Moore
> Keith Moore wrote:
> great. now we'll have NAT boxes intercepting
> outgoing DNS traffic also.
That was not my point. My point was to have a DNS server in
the inside configured for reverse lookup of private IPs.
one of the most-frequently cited justifications for NAT is
plug-and-play. expecting people to set up their own DNS
servers sort of nullifies that.
Keith, two observations...
(1) Yes, I think, and think we are in agreement, that this sort
of thing digs the NAT hole even deeper.
(2) But the typical plug-and-play NAT, at least the ones I have
run across, is preconfigured with the addresses to be used on
the "inside" and contains (or is intimately paired with) a DHCP
server that gives out those addresses. Installing a DNS filter
in the thing that would intercept PTR queries for that address
range, or any 1918 address range, and respond to them in some
"canned" way while passing other DNS queries out to the network
as intended is not rocket science and certainly doesn't violate
any plug-and-play arguments.
Now, whether that interception and diversion of DNS queries is a
moral activity is a different question. But, if you believe
strongly enough that having a NAT in the first place puts one
into a serious state of sin, then the marginal sin of
intercepting DNS queries for private addresses, to prevent the
sort of problems those queries cause, seems to me to be fairly
"where are we going and what are we doing in this handbasket?"