Re: Thank you, Comcast.

["Dovid Bender" <dovid () telecurve com>]

This is one of my pet peeves. Another is default passwords for devices. Kudo to TP-Link for not shipping devices with 
default passwords.


Regards,

Dovid

-----Original Message-----
From: Brielle Bruns <bruns () 2mbit com>
Sender: "NANOG" <nanog-bounces () nanog org>Date: Fri, 26 Feb 2016 10:16:33 
To: <nanog () nanog org>
Subject: Re: Thank you, Comcast.

On 2/26/16 10:02 AM, Chris Adams wrote:
> > Except that half the time people run their own DNS resolvers because
> > their provider's resolvers are
>
> Resolver != authoritative server.  Your local DNS resolver doesn't need
> to be (and should not be) listening to port 53 on the Internet.  Only
> DNS authoritative servers need to accept Internet traffic on port 53,
> and almost nobody needs to be running one on a typical residential
> connection (especially since residential IPs do change from time to
> time).

UDP is a fun protocol - stateless, so blocking a DST of 53/UDP to the 
customer also will block responses to recursive queries that originate 
from SRC 53/UDP.  Connection tracking sorta makes it stateful to a 
point, but it can get ugly with enough traffic.

Place the blame for local resolvers listening on WAN squarely where it 
belongs - the router vendors who make these devices.

You can't do anything about idiots buying a pro-sumer/professional 
device like an EdgeRouter and misconfiguring it, but Linksys/Cisco, 
D-Link, Netgear, etc that are targeted towards home users should be held 
to the fire for that kind of screw up.

-- 
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org    /     http://www.ahbl.org