The "not long discussion" thread....
Jerry Pasker
info at n-connect.net
Tue Apr 26 19:44:28 UTC 2005
I posted to NANOG:
>Jerry Pasker <info at n-connect.net> wrote:
>
>
>> fine. (after a few tries) I'm using BIND 9.2.4 without the eye pee
>> vee six stuff compiled in. Because I don't want to start something;
>> No discussion about me blocking port 53, ok? I got tired of gobs of
>> log files of script kiddies trying to download my domains 5 years
>> ago...
Steve Sobol replied with:
>I'm not going to enter into a long discussion with you. :)
>
>I'm just curious why you didn't restrict AXFR to certain IPs instead.
And I'm posting back to NANOG:
I did.
And I had router ACLs doing the same thing. Allow to hosts that
needed it, deny for everyone else. And I did this to ALL my DNS
servers.
I was getting DoSed one day, somewhere in the whereabouts of about
2001, and put in the ACLs, immediately expecting it to break things.
(truncated responses needing TCP and/or other things that I didn't
foresee). Much to my dismay, it broke nothing. Despite me looking
for problems, and asking and pleading my techies to find trouble
tickets related to this issue, it didn't happen. I revisited the
issue periodically. Every time there was an unexplained DNS issue, I
would think "it must be the port 53 block!" but alas, I was
disappointed each and every time. I've removed and added the ACLs
countless times over the years trouble shooting various DNS issues,
but this is the first time that removing them actually solved
anything.
See, I *WANTED* there to be a problem in blocking port 53, I
*BELIEVED* all the talk that it would cause problems, but that
problem never showed up. Over the years, eventually I just slowly
arrived at the conclusion that all the talk were from people who
talked, not from people who were brave enough to try it in a
production environment.
4 years later, I was proved "inconclusive": Blocking port 53 does
break things to servers that are already (apparently?) broken.
-Jerry
More information about the NANOG
mailing list