Risks of patched servers behind de-randomizing NAT

David Carmean wrote:
I seem to have lost a message where somebody from ISC (Paul?) was going to
release an updated/new advisory regarding the source-port de-randomizing
effects of many NAT implementations will have upon patched servers.
I don't know what Paul (or whoever) was going to say, but I'll say the
following:

If I can get your nameserver to resolve a specific query (consider, as
Evan said earlier, an e-mail with a link in it that someone in your
organization might click on), and that query is from a device that shows
up on the Internet as a resolver with non-random source ports, I may
very well be able to poison your cache.

Consider that there are other ways to force "internal" servers to do
predictable outbound queries (think about the SMTP protocol for a moment)

Randomize the port numbers.

Please.

AlanC

I seem to have lost a message where somebody from ISC (Paul?) was going to
release an updated/new advisory regarding the source-port de-randomizing
effects of many NAT implementations will have upon patched servers.

Many of the folks I'm working with are unconcerned about this problem,
because they cannot come up with an attack scenario against a recursive
server behind a [NATting] firewall. They are also apparently hearing
claims from our firewall vendor (starts with a letter between I and K) that
this is not a big deal for servers behind a [their?] firewall. (Were they
not invited to The Big Meeting?)

Can we get a reading from Those Who Know about how likely it is that
BadGuys can trick a client inside such a firewall to facilitate an attack
against an internal recursive server (said server can query through the firewall).

Thanks.