Thank you, Comcast.
nanog at ics-il.net
Fri Feb 26 13:27:50 UTC 2016
"you will also block legitimate return traffic if the
customers run their own DNS servers or use opendns / google dns / etc."
I'm fine with that. Residential customers shouldn't be running DNS servers anyway and as far as the outside resolvers to go, ehhhh... I see the case for OpenDNS given that you can use it to filter (though that's easily bypassed), but not really for any others.
Intelligent Computing Solutions
----- Original Message -----
From: "Nick Hilliard" <nick at foobar.org>
To: "Mikael Abrahamsson" <swmike at swm.pp.se>
Cc: "NANOG list" <nanog at nanog.org>
Sent: Friday, February 26, 2016 7:17:30 AM
Subject: Re: Thank you, Comcast.
Mikael Abrahamsson wrote:
> Why isn't UDP/53 blocked towards customers? I know historically there
> were resolvers that used UDP/53 as source port for queries, but is this
> the case nowadays?
> I know providers that have blocked UDP/53 towards customers as a
> countermeasure to the amplification attacks. As far as I heard, there
> were no customer complaints.
Traffic from dns-spoofing attacks generally has src port = 53 and dst
port = random. If you block packets with udp src port=53 towards
customers, you will also block legitimate return traffic if the
customers run their own DNS servers or use opendns / google dns / etc.
More information about the NANOG