nanog mailing list archives
Re: Thank you, Comcast.
From: Nick Hilliard <nick () foobar org>
Date: Fri, 26 Feb 2016 13:17:30 +0000
Mikael Abrahamsson wrote:
Why isn't UDP/53 blocked towards customers? I know historically there were resolvers that used UDP/53 as source port for queries, but is this the case nowadays? I know providers that have blocked UDP/53 towards customers as a countermeasure to the amplification attacks. As far as I heard, there were no customer complaints.
Traffic from dns-spoofing attacks generally has src port = 53 and dst port = random. If you block packets with udp src port=53 towards customers, you will also block legitimate return traffic if the customers run their own DNS servers or use opendns / google dns / etc. Nick
Current thread:
- Thank you, Comcast. Mike Hammett (Feb 25)
- Re: Thank you, Comcast. Paras Jha (Feb 25)
- Re: Thank you, Comcast. Roland Dobbins (Feb 25)
- Re: Thank you, Comcast. Jared Mauch (Feb 25)
- Re: Thank you, Comcast. Mikael Abrahamsson (Feb 25)
- Re: Thank you, Comcast. Mark Andrews (Feb 25)
- Re: Thank you, Comcast. Mikeal Clark (Feb 25)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- Re: Thank you, Comcast. Nick Hilliard (Feb 26)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- Re: Thank you, Comcast. Dovid Bender (Feb 26)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- Re: Thank you, Comcast. Livingood, Jason (Feb 26)
- Re: Thank you, Comcast. Brielle Bruns (Feb 26)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- Re: Thank you, Comcast. Roland Dobbins (Feb 26)
- Re: Thank you, Comcast. Brielle Bruns (Feb 26)
- Re: Thank you, Comcast. Mike Hammett (Feb 26)
- Re: Thank you, Comcast. Brielle Bruns (Feb 26)
- Re: Thank you, Comcast. Paras Jha (Feb 25)