nanog mailing list archives

Re: Thank you, Comcast.

From: Nick Hilliard <nick () foobar org>
Date: Fri, 26 Feb 2016 13:17:30 +0000

Mikael Abrahamsson wrote:

Why isn't UDP/53 blocked towards customers? I know historically there
were resolvers that used UDP/53 as source port for queries, but is this
the case nowadays?

I know providers that have blocked UDP/53 towards customers as a
countermeasure to the amplification attacks. As far as I heard, there
were no customer complaints.


Traffic from dns-spoofing attacks generally has src port = 53 and dst
port = random.  If you block packets with udp src port=53 towards
customers, you will also block legitimate return traffic if the
customers run their own DNS servers or use opendns / google dns / etc.

Nick

Current thread:

Thank you, Comcast. Mike Hammett (Feb 25)
- Re: Thank you, Comcast. Paras Jha (Feb 25)
  - Re: Thank you, Comcast. Roland Dobbins (Feb 25)
  - Re: Thank you, Comcast. Jared Mauch (Feb 25)
    - Re: Thank you, Comcast. Mikael Abrahamsson (Feb 25)
    - Re: Thank you, Comcast. Mark Andrews (Feb 25)
    - Re: Thank you, Comcast. Mikeal Clark (Feb 25)
    - Re: Thank you, Comcast. Mike Hammett (Feb 26)
    - Re: Thank you, Comcast. Nick Hilliard (Feb 26)
    - Re: Thank you, Comcast. Mike Hammett (Feb 26)
    - Re: Thank you, Comcast. Dovid Bender (Feb 26)
    - Re: Thank you, Comcast. Mike Hammett (Feb 26)
    - Re: Thank you, Comcast. Livingood, Jason (Feb 26)
    - Re: Thank you, Comcast. Brielle Bruns (Feb 26)
    - Re: Thank you, Comcast. Mike Hammett (Feb 26)
    - Re: Thank you, Comcast. Roland Dobbins (Feb 26)
    - Re: Thank you, Comcast. Brielle Bruns (Feb 26)
    - Re: Thank you, Comcast. Mike Hammett (Feb 26)
    - Re: Thank you, Comcast. Brielle Bruns (Feb 26)

(Thread continues...)