Thank you, Comcast.

Mark Andrews marka at isc.org
Fri Feb 26 06:27:07 UTC 2016


In message <alpine.DEB.2.02.1602260718460.11524 at uplift.swm.pp.se>, Mikael Abrah
amsson writes:
> On Thu, 25 Feb 2016, Jared Mauch wrote:
> 
> > Make sure you permit TCP/53 for DNS queries so if TC=1 lookups work.
> 
> Speaking of which, historically ISPs have been blocking TCP/135, TCP/445 
> and a few others towards customers (at least that's what I know). TCP/25 
> seems to be blocked as well.
> 
> Why isn't UDP/53 blocked towards customers? I know historically there were 
> resolvers that used UDP/53 as source port for queries, but is this the 
> case nowadays?
> 
> I know providers that have blocked UDP/53 towards customers as a 
> countermeasure to the amplification attacks. As far as I heard, there were 
> no customer complaints.

Because complaining is like talking to a brick wall most of the
time.  People work around the ISP idiocy by shifting ports, its
easier than trying to get through help desk hell.

> -- 
> Mikael Abrahamsson    email: swmike at swm.pp.se
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the NANOG mailing list