Thank you, Comcast.

Mikael Abrahamsson swmike at swm.pp.se
Fri Feb 26 13:55:26 UTC 2016


On Fri, 26 Feb 2016, Nick Hilliard wrote:

> Traffic from dns-spoofing attacks generally has src port = 53 and dst 
> port = random.  If you block packets with udp src port=53 towards 
> customers, you will also block legitimate return traffic if the 
> customers run their own DNS servers or use opendns / google dns / etc.

Sure, it's a very interesting discussion what ports should be blocked or 
not.

http://www.bitag.org/documents/Port-Blocking.pdf

This mentions on page 3.1, TCP(UDP)/25,135,139 and 445. They've been 
blocked for a very long time to fix some issues, even though there is 
legitimate use for these ports.

So if you're blocking these ports, it seems like a small step to block 
UDP/TCP/53 towards customers as well. I can't come up with an argument 
that makes sense to block TCP/25 and then not block port UDP/TCP/53 as 
well. If you're protecting the Internet from your customers 
misconfiguraiton by blocking port 25 and the MS ports, why not 53 as well?

This is a slippery slope of course, and judgement calls are not easy to 
make.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se


More information about the NANOG mailing list