In message <201206120146.q5c1kq6t057...@calcite.rhyolite.com>, Vernon Schryver
writes:
> > From: Chris Adams <cmad...@hiwaay.net>
>
> > Once upon a time, Mark Andrews <ma...@isc.org> said:
> > > If we have Attacker -> CPE -> Auth -> CPE -> Target why isn't the CPE
> > > returning answers from its cache?
> >
> > Most of the CPE just run a DNS proxy (e.g. dnsmasq on Linux-based
> > boxes), not a full cache. Even if they ran a cache, the attack would
> > still be CPE->Target (just not going to another server in-between). It
>
> Why aren't ISPs blocking UDP source port 53 to the core under their
> old no-servers-for-consumers term of service?
Perhaps because it is a legitimate, though unwise, client source port
that is in lots of old configurations.
listen-on { <internal address>; };
query-source * port 53;
Additionally the OS is free to choose 53 as a source port if it
wants for a client. While some systems reserve low ports not all
do. This includes NAT implementations.
> What is the common consumer ISP current practice for TCP port 25
> at the ISP/core boundary? If it is one of the many old flavors of
> blocking (e.g. always, prior arrangement, "business service"), why
> can't it be applied to UDP port 53?
>
> How many consumers would object if their "modems" can't answer or
> perhaps even hear UDP port 53 from the outer Internet?
>
> In other words, as with port 25, why must the rest of the Internet
> subsidize some often very big outfits by dealing with abuse that the
> outfits could deal with or at least contain within their own networks?
>
> Why not a blacklist/ACL/whatever similar to Spamhaus' PBL for TCP
> port 25? For that matter, why not apply the PBL to UDP port 53 on the
> grounds that IP addresses that should never be seen sending email also
> never need outside DNS service?
DNS best pactice it to run your own recursive servers with validation
enabled. Do you really want to stop this?
> Of course, blocking consumer port 53 would not be a panacea, but
> it might reduce the proxies available for abuse.
>
>
> Vernon Schryver v...@rhyolite.com
> _______________________________________________
> dns-operations mailing list
> dns-operations@lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
