Thank you, Comcast.
bruns at 2mbit.com
Fri Feb 26 17:16:33 UTC 2016
On 2/26/16 10:02 AM, Chris Adams wrote:
>> Except that half the time people run their own DNS resolvers because
>> their provider's resolvers are
> Resolver != authoritative server. Your local DNS resolver doesn't need
> to be (and should not be) listening to port 53 on the Internet. Only
> DNS authoritative servers need to accept Internet traffic on port 53,
> and almost nobody needs to be running one on a typical residential
> connection (especially since residential IPs do change from time to
UDP is a fun protocol - stateless, so blocking a DST of 53/UDP to the
customer also will block responses to recursive queries that originate
from SRC 53/UDP. Connection tracking sorta makes it stateful to a
point, but it can get ugly with enough traffic.
Place the blame for local resolvers listening on WAN squarely where it
belongs - the router vendors who make these devices.
You can't do anything about idiots buying a pro-sumer/professional
device like an EdgeRouter and misconfiguring it, but Linksys/Cisco,
D-Link, Netgear, etc that are targeted towards home users should be held
to the fire for that kind of screw up.
The Summit Open Source Development Group
http://www.sosdg.org / http://www.ahbl.org
More information about the NANOG