Thank you, Comcast.

Brielle Bruns bruns at 2mbit.com
Fri Feb 26 17:16:33 UTC 2016


On 2/26/16 10:02 AM, Chris Adams wrote:
>>
>> Except that half the time people run their own DNS resolvers because
>> their provider's resolvers are
>
> Resolver != authoritative server.  Your local DNS resolver doesn't need
> to be (and should not be) listening to port 53 on the Internet.  Only
> DNS authoritative servers need to accept Internet traffic on port 53,
> and almost nobody needs to be running one on a typical residential
> connection (especially since residential IPs do change from time to
> time).
>

UDP is a fun protocol - stateless, so blocking a DST of 53/UDP to the 
customer also will block responses to recursive queries that originate 
from SRC 53/UDP.  Connection tracking sorta makes it stateful to a 
point, but it can get ugly with enough traffic.

Place the blame for local resolvers listening on WAN squarely where it 
belongs - the router vendors who make these devices.

You can't do anything about idiots buying a pro-sumer/professional 
device like an EdgeRouter and misconfiguring it, but Linksys/Cisco, 
D-Link, Netgear, etc that are targeted towards home users should be held 
to the fire for that kind of screw up.

-- 
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org    /     http://www.ahbl.org


More information about the NANOG mailing list