Thank you, Comcast.

• Previous message (by thread): Thank you, Comcast.
• Next message (by thread): Thank you, Comcast.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mikael Abrahamsson wrote:
> Why isn't UDP/53 blocked towards customers? I know historically there
> were resolvers that used UDP/53 as source port for queries, but is this
> the case nowadays?
> 
> I know providers that have blocked UDP/53 towards customers as a
> countermeasure to the amplification attacks. As far as I heard, there
> were no customer complaints.

Traffic from dns-spoofing attacks generally has src port = 53 and dst
port = random.  If you block packets with udp src port=53 towards
customers, you will also block legitimate return traffic if the
customers run their own DNS servers or use opendns / google dns / etc.

Nick

• Previous message (by thread): Thank you, Comcast.
• Next message (by thread): Thank you, Comcast.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]