24 Jul
2008
24 Jul
'08
4:45 a.m.
Joe Abley (jabley) writes:
Having just seen some enterprise types spend time patching their nameservers, it's also perhaps worth spelling out that "patch" in this case might require more than upgrading resolver code -- it could also involve reconfigurations, upgrades or replacements of NAT boxes too. If your NAT reassigns source ports in a predictable fashion, then no amount of BIND9 patching is going to help.
Case in point, we've got customers running around in circles screaming "we need to upgrade, please help us upgrade NOW", but they have _3_ layers of routers and firewalls that are hardcoded to only allow DNS queries from port 53.