On Wed, 15 Oct 2003 10:26:17 EDT, Keith Moore said: > great. now we'll have NAT boxes intercepting outgoing DNS traffic also.
The really bad part is that they'll on the average do as good a job of intercepting DNS traffic as they do of filtering outbound 1918-sourced packets in general. After all, the root DNS boxes shouldn't ever see a 1918 packet unless (a) some site isn't egress filtering properly *and* (b) their ISP isn't ingress filtering at the edge. Egress *and* ingress filtering. Belt and suspenders design. Too bad there's so many sites that still manage to leave their fly open anyhow.....
pgp00000.pgp
Description: PGP signature
