The "not long discussion" thread....

Tue Apr 26 19:44:28 UTC 2005

I posted to NANOG:

>Jerry Pasker <info at n-connect.net> wrote:
>
>
>>  fine. (after a few tries)  I'm using BIND 9.2.4 without the eye pee
>>  vee six stuff compiled in.  Because I don't want to start something;
>>  No discussion about me blocking port 53, ok?  I got tired of gobs of
>>  log files of script kiddies trying to download my domains 5 years
>>  ago...

Steve Sobol replied with:

>I'm not going to enter into a long discussion with you. :)
>
>I'm just curious why you didn't restrict AXFR to certain IPs instead.

And I'm posting back to NANOG:

I did.

And I had router ACLs doing the same thing.  Allow to hosts that 
needed it, deny for everyone else.  And I did this to ALL my DNS 
servers.

I was getting DoSed one day, somewhere in the whereabouts of about 
2001, and put in the ACLs, immediately expecting it to break things. 
(truncated responses needing TCP and/or other things that I didn't 
foresee).  Much to my dismay, it broke nothing.  Despite me looking 
for problems, and asking and pleading my techies to find trouble 
tickets related to this issue, it didn't happen.  I revisited the 
issue periodically.  Every time there was an unexplained DNS issue, I 
would think "it must be the port 53 block!"    but alas, I was 
disappointed each and every time.  I've removed and added the ACLs 
countless times over the years trouble shooting various DNS issues, 
but this is the first time that removing them actually solved 
anything.

See, I *WANTED* there to be a problem in blocking port 53, I 
*BELIEVED* all the talk that it would cause problems, but that 
problem never showed up.   Over the years, eventually I just slowly 
arrived at the conclusion that all the talk were from people who 
talked, not from people who were brave enough to try it in a 
production environment.

4 years later, I was proved "inconclusive":  Blocking port 53 does 
break things to servers that are already (apparently?) broken.

-Jerry