Thank you, Comcast.
dovid at telecurve.com
Fri Feb 26 18:53:58 UTC 2016
This is one of my pet peeves. Another is default passwords for devices. Kudo to TP-Link for not shipping devices with default passwords.
From: Brielle Bruns <bruns at 2mbit.com>
Sender: "NANOG" <nanog-bounces at nanog.org>Date: Fri, 26 Feb 2016 10:16:33
To: <nanog at nanog.org>
Subject: Re: Thank you, Comcast.
On 2/26/16 10:02 AM, Chris Adams wrote:
>> Except that half the time people run their own DNS resolvers because
>> their provider's resolvers are
> Resolver != authoritative server. Your local DNS resolver doesn't need
> to be (and should not be) listening to port 53 on the Internet. Only
> DNS authoritative servers need to accept Internet traffic on port 53,
> and almost nobody needs to be running one on a typical residential
> connection (especially since residential IPs do change from time to
UDP is a fun protocol - stateless, so blocking a DST of 53/UDP to the
customer also will block responses to recursive queries that originate
from SRC 53/UDP. Connection tracking sorta makes it stateful to a
point, but it can get ugly with enough traffic.
Place the blame for local resolvers listening on WAN squarely where it
belongs - the router vendors who make these devices.
You can't do anything about idiots buying a pro-sumer/professional
device like an EdgeRouter and misconfiguring it, but Linksys/Cisco,
D-Link, Netgear, etc that are targeted towards home users should be held
to the fire for that kind of screw up.
The Summit Open Source Development Group
http://www.sosdg.org / http://www.ahbl.org
More information about the NANOG