you're not interesting, was Re: another brick in the wall[ed garden]

Tomas L. Byrnes tomb at
Thu May 14 19:24:26 CDT 2009

Disclaimer: I have a dog in this fight, since ThreatSTOP is dependent on

>-----Original Message-----
>From: Mark Andrews [mailto:Mark_Andrews at]
>Sent: Thursday, May 14, 2009 4:59 PM
>To: John Levine
>Cc: nanog at; rs at
>Subject: Re: you're not interesting,was Re: another brick in the
>In message <20090514223605.88104.qmail at>, John Levine
>> >Dear Sprint EVDO people,
>> >
>> >Your man-in-the-middle hijacking of UDP/53 DNS queries against
>> >nameservers that I choose to query from my laptop on Sprint EVDO is
>> >not appreciated.  Even less appreciated is your complete blocking of
>> >TCP/53 DNS queries.
>> If I were an ISP, and I knew that approximately 99.9% of customer
>> queries to random name servers was malware doing fake site phishing
>> misconfigured PCs that will work OK and avoid a support call if they
>> answer the DNS query, with 0.1% being old weenies like us, I'd do
>> Sprint's doing, too.
>	And what's the next protocol that is going to be stomped on?
>> If you're aware of a mechanical way for them to tell the difference,
>> we're all ears.
>	Well you can't answer a TSIG message without knowing the
>	shared secret so you might as well just let it go through
>	and avoid some percentage of support calls.  Intercepting
>	TSIG messages is guaranteed to generate a support call.
>	Similarly intercepting "rd=0" is also guaranteed to generate
>	a support call.  You almost certainly have a interative
>	resolver making the query which will not handle the "aa=0"
>	responses.
>	Similarly there is no sane reason to block DNS/TCP other than
>	they can do it.
[TLB:] I can think of an argument they might make: that it is/could be
used by bots as a fallback. However, redirecting DNS/UDP fits the model
of "providing a better service for the average user";
blocking/redirecting TCP is more likely to break things a savvy user

Maybe someone with clue at Sprint can be persuaded that doing their own
"OpenDNS" for UDP is probably a good thing for most uses, but doing it
for TCP is a bad thing for those users who need TCP.

More information about the NANOG mailing list