[Dnsmasq-discuss] NAT Congestion Enhancement for DNS Client Port Selection

Eric Luehrsen ericluehrsen at hotmail.com
Sun Jul 12 06:40:50 BST 2015

Its been awhile since I could try to simulate a good use case. 
In short its peeling an onion and just exposed a whole bunch of 
bad factors. There are other issues in these gateways. They do a 
"lot of stuff" that has no customer tuning or even visibility. 
This confounds any honest testing. If port-mapping-connections, 
entanglement, and business-guest isolation double NAT ... 
... and added fun carrier NAT, ugh ...
were the only problems, then maybe this idea had a place. 
Considering all, its ready for the recycle bin.


> If you want to experiment with strategies, and your C is OK, it should
> be quite easy to do. Look at allocate_rfd() in src/forward.c. That has
> two bits of code, the first makes a new random socket, and if that
> fails (kernel resource issues, or maximum number (RANDOM_SOCKS) in
> use) it falls through to the second bit, which uses an existing
> socket/port instead. All the reference-counting stuff to share random
> ports is already there, you just need to add some code to decide when
> to use an existing port instead of making a new one.
> It would be interesting to hear if this actually improves things.
> Cheers,
> Simon.

>> I would like to propose that DNSMASQ move [random per port# 
>> over short time] and also DNSMASQ move client ports
>> when so many requests have processed (max-concurrent reused or
>> %10 of cache or random again?).  This will keep its profile on
>> the NAT down and it will maintain the moving target against
>> attacks.
>> ..............
>> The use case is in some new products for home and small business
>> with cable ISP. These are a super-media-gateway-box with media
>> server, cable interface, two independent VOIP lines, cable modem,
>> and wireless gateway. MOCA serves TV through client media boxes.
>> One public IPV4 to do all of this. These are a great concept, but
>> the modem, firewall, and wireless are poorly implemented. However,
>> this combo may be the most economic offering for monthy cost.
>> Super-gateways often don't provide even Primary and Guest networks 
>> (ie isolate Coffee Shop POS and Guest Free WiFi). There's nothing
>> if you want to prevent neighbor business from free-loading into
>> your Guest Wifi, and so use beverage receipt passwords.
>> .......
>> Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150712/c738da1d/attachment.html>

More information about the Dnsmasq-discuss mailing list