--On Wednesday, 15 October, 2003 11:58 -0400 Keith Moore <moore@cs.utk.edu> wrote:
> Keith Moore wrote: > great. now we'll have NAT boxes intercepting > outgoing DNS traffic also.
That was not my point. My point was to have a DNS server in the inside configured for reverse lookup of private IPs.
one of the most-frequently cited justifications for NAT is plug-and-play. expecting people to set up their own DNS servers sort of nullifies that.
Keith, two observations...
(1) Yes, I think, and think we are in agreement, that this sort of thing digs the NAT hole even deeper.
(2) But the typical plug-and-play NAT, at least the ones I have run across, is preconfigured with the addresses to be used on the "inside" and contains (or is intimately paired with) a DHCP server that gives out those addresses. Installing a DNS filter in the thing that would intercept PTR queries for that address range, or any 1918 address range, and respond to them in some "canned" way while passing other DNS queries out to the network as intended is not rocket science and certainly doesn't violate any plug-and-play arguments.
Now, whether that interception and diversion of DNS queries is a moral activity is a different question. But, if you believe strongly enough that having a NAT in the first place puts one into a serious state of sin, then the marginal sin of intercepting DNS queries for private addresses, to prevent the sort of problems those queries cause, seems to me to be fairly small.
"where are we going and what are we doing in this handbasket?"
john