Thank you, Comcast.

Mikael Abrahamsson swmike at swm.pp.se
Fri Feb 26 06:20:28 UTC 2016


On Thu, 25 Feb 2016, Jared Mauch wrote:

> Make sure you permit TCP/53 for DNS queries so if TC=1 lookups work.

Speaking of which, historically ISPs have been blocking TCP/135, TCP/445 
and a few others towards customers (at least that's what I know). TCP/25 
seems to be blocked as well.

Why isn't UDP/53 blocked towards customers? I know historically there were 
resolvers that used UDP/53 as source port for queries, but is this the 
case nowadays?

I know providers that have blocked UDP/53 towards customers as a 
countermeasure to the amplification attacks. As far as I heard, there were 
no customer complaints.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se


More information about the NANOG mailing list