DNS versus NAT ?

Ronald F. Guilmette rfg at tristatelogic.com
Sat Jun 15 02:10:19 UTC 2019


In message <alpine.DEB.2.20.1906130953120.16652 at grey.csi.cam.ac.uk>, 
Tony Finch <dot at dotat.at> wrote:

>Ronald F. Guilmette via Unbound-users <unbound-users at nlnetlabs.nl> wrote:
>>
>> For the outbound DNS query packets, does the router re-jigger the orginal
>> source port numbers so that they will (hopefully) not conflict and so that
>> the DNS response packets, when they arrive, can be directed appropriately
>> to one machine or the other?
>
>Yes. The long version is RFC 4787.

Thank you.  I am and will be reading that.

>> And if that is the case, then will my SOHO router catch fire if and when
>> I elect to send out through it a set of 65536 or more separate DNS queries,
>> all in rapid succession?
>
>Almost certainly :-) Even quite big NAT boxes will get indigestion if you
>put a lot of DNS traffic through them.

I didn't know that.  So I learned something today.

> In general it's best to keep
>stateful middleboxes away from DNS servers. In your case you are probably
>better off either setting up a DMZ at home (if they will give you multiple
>IP addresses) or get a colo box for high volume DNS query traffic.

Yes.  Thank you.  The latter is already in progress.

(I am assuming ... perhaps incorrectly... that a -dedicated- box will not
be absolutely necessary, as long as I have a dedicated and non-dynamic IP
address with it.)


Regards,
rfg




More information about the Unbound-users mailing list