Re: [BEHAVE] DNS vs port overloading

Mark Andrews <marka@isc.org> Thu, 27 June 2013 14:36 UTC

Return-Path: <marka@isc.org>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4161321F9AD6 for <behave@ietfa.amsl.com>; Thu, 27 Jun 2013 07:36:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.455
X-Spam-Level:
X-Spam-Status: No, score=-2.455 tagged_above=-999 required=5 tests=[AWL=0.144, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7af+XVBIE8L1 for <behave@ietfa.amsl.com>; Thu, 27 Jun 2013 07:36:33 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id E393E21F9AFA for <behave@ietf.org>; Thu, 27 Jun 2013 07:36:24 -0700 (PDT)
Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id 5DD26C94E8; Thu, 27 Jun 2013 14:36:17 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1372343784; bh=rw3iM9+3CaQOa1hzT9SglALuXxlz/cQujLyG5Ui705Q=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=egdh+tjG59ViQ2H00+Ay82xFLwFC6MZaXJ8/xWQm+EJ2A0eAdhm7bk2dgWfDeUKBA sobuQWNDesGRE2Lpx9Ib9gs9TAWaVXg2Gns18qabC4n9LfmW9DhspcmuUYpI5I3/oA NYSwvm1A38pg1kHLzxH7IlJGzf7KPCANt129QIwc=
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP; Thu, 27 Jun 2013 14:36:17 +0000 (UTC) (envelope-from marka@isc.org)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 4B1D116004A; Thu, 27 Jun 2013 14:37:34 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id PzD4MmwgBUOV; Thu, 27 Jun 2013 14:37:33 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 31E201600A2; Thu, 27 Jun 2013 14:37:33 +0000 (UTC)
X-Virus-Scanned: amavisd-new at zmx1.isc.org
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id bbWgzkN7irjK; Thu, 27 Jun 2013 14:37:33 +0000 (UTC)
Received: from drugs.dv.isc.org (c211-30-172-21.carlnfd1.nsw.optusnet.com.au [211.30.172.21]) by zmx1.isc.org (Postfix) with ESMTPSA id D6FA816009F; Thu, 27 Jun 2013 14:37:32 +0000 (UTC)
Received: from drugs.dv.isc.org (localhost [IPv6:::1]) by drugs.dv.isc.org (Postfix) with ESMTP id 51ECB365ED5A; Fri, 28 Jun 2013 00:36:12 +1000 (EST)
To: Simon Perreault <simon.perreault@viagenie.ca>
From: Mark Andrews <marka@isc.org>
References: <CB1B483277FEC94E9B58357040EE5D02325A6E93@xmb-rcd-x15.cisco.com> <2f7dce8264c8a9a72640629502a44295@cacaoweb.org> <51C1681A.5030909@viagenie.ca> <f8741fad1af1cee094de9c59408b7425@cacaoweb.org> <51C40374.8080403@viagenie.ca> <21e25b7ae1501228a67656b2fa4bc009@cacaoweb.org> <51CAA20F.4070307@viagenie.ca> <7f35bf30538732e3953bd33bcab7a791@cacaoweb.org> <51CC444C.1030507@viagenie.ca> <20130627141434.3B0BD365EA62@drugs.dv.isc.org> <51CC4A59.8080801@viagenie.ca>
In-reply-to: Your message of "Thu, 27 Jun 2013 16:21:13 +0200." <51CC4A59.8080801@viagenie.ca>
Date: Fri, 28 Jun 2013 00:36:12 +1000
Message-Id: <20130627143612.51ECB365ED5A@drugs.dv.isc.org>
X-DCC--Metrics: post.isc.org; whitelist
Cc: behave@ietf.org, ivan@cacaoweb.org
Subject: Re: [BEHAVE] DNS vs port overloading
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2013 14:36:38 -0000

In message <51CC4A59.8080801@viagenie.ca>ca>, Simon Perreault writes:
> Le 2013-06-27 16:14, Mark Andrews a écrit :
> >> I have suggested that one condition where port overloading could be used
> >> is when the NAT knows that it will not disrupt the application protocol.
> >> For example, the protocols running on TCP port 80 and UDP port 53 (HTTP
> >> and DNS) are purely client-server and therefore would not be affected by
> >> port overloading. Allowing NATs to do port overloading for those ports
> >> only would probably solve the scalability problem since they account for
> >> a large portion of the traffic.
> >
> > And overloading DNS could potentially defeat the port randomisation
> > done by the server even though nameservers do port overloading
> > themselves to send traffic out a large set of ports choosen at
> > random and reselected from at random.
> 
> Good point.
> 
> Could that be solved with operational advice? In the case of CGN, we 
> could advise the ISP could to make sure that its recursive nameserver 
> sits on the border between the internal and external realm such that no 
> DNS traffic is handled by the CGN.
> 
> Would that fully address your concern?
> 
> Simon

No.  Many ISP's have a history of mucking with DNS results when you
use their servers.  Most ISP's don't muck DNS queries not directed
to their servers.  For those that do you can usually see that they
are mucking with results.

You can't just redirect queries at a normal recursive server and
think that will provide a "transparent DNS caching server".

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org