On Wed, 15 Oct 2003 10:26:17 EDT, Keith Moore said:
great. now we'll have NAT boxes intercepting outgoing DNS traffic also.
The really bad part is that they'll on the average do as good a job of
intercepting
DNS traffic as they do of filtering outbound 1918-sourced packets in general.
After
all, the root DNS boxes shouldn't ever see a 1918 packet unless (a) some site
isn't
egress filtering properly *and* (b) their ISP isn't ingress filtering at the
edge.
Egress *and* ingress filtering. Belt and suspenders design. Too bad there's so
many sites that still manage to leave their fly open anyhow.....
pgpPDrimluMDp.pgp
Description: PGP signature