DNS cache poisoning vs. NAT

The latest DNS security issue (please read Hubert’s Blog entry) proves again that NAT is a bad idea. If you run a DNS server behind a NAT (which you really shouldn’t) you can pick one of two evils:

  1. You use a fixed query source port on your DNS server which makes it susceptible to DNS cache poisoning.
  2. You use random query source port which will create a lot of entries in the NAT mapping table of your NAT gateway. But as DNS mostly uses the connectionless UDP the NAT gateway can only rely on idle timeouts to delete those mappings. As a result the NAT mapping table will fill up quickly. This will cause problems especially on small router appliances.
    Even if your NAT router can handle this gracefully there is a good chance that it will undo the randomisation of the source port by assigning sequential port numbers on NAT mappings.

The only solution I can think of are NAT implementations which recognize DNS traffic and use very short lived NAT mappings for it. But that will make NAT even more evil because it has to make more assumptions about that IP traffic to work properly.

What we really need is DNSSEC (to make DNS secure) and IPv6 (to get rid of NAT).