[Gllug] DNS security problem and broadband modems

[Alain Williams]

On Mon, Jul 28, 2008 at 10:24:24PM +0100, ba1020 wrote:
> Tethys wrote:
> >  
> > Option 3) Do it yourself (in other words, get a better NAT
> > provider). My ADSL router acts purely as a router -- simply
> > passing packets from network A to network B and vice versa.
> > It does no NAT/PAT and no packet filtering. Traffic goes
> > straight through into my firewall (a separate box) which is
> > entirely under my control. From there I fan out to the rest
> > of the network. It's a setup I'd recommend to anyone. No
> > messing about with cryptic and underpowered vendor configs.
> > It's all just plain old network config on a Unix box.
> >
> > Tet
> >   
> hm how is your router configured;routing internet to an internal private 
> network
> 
> and what is the ip-adr of your router internal interface
> 
> and how do you nat on your unix-box (iptables)?
> 
> It's not so easy to disable nating on the router and keep everything 
> working!

That is the problem.

Some modems do have a mode where they present the external IP traffic directly to
one internal machine. However: since my BB modem also does my wifi (in a DMZ between
the Internet and my internal network) this will not work. What is really wanted is
''don't NAT outgoing connections to UDP port 53'' - but that won't happen.

I suppose that if NATting devices tried to preserve the local port number (ie only change
if it is already ''in use'') then this would go a long way to solving my problem. It would
not be hard for NATting devices to do - most just don't seem to work that way.

-- 
Alain Williams
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
Chairman of UKUUG: http://www.ukuug.org/
#include <std_disclaimer.h>
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug