On Mon, Jun 11, 2012 at 11:32 PM, Vernon Schryver <v...@rhyolite.com> wrote:
>> To: Vernon Schryver <v...@rhyolite.com>
>> Cc: dns-operati...@mail.dns-oarc.net
>> From: Mark Andrews <ma...@isc.org>
>
>> > Why aren't ISPs blocking UDP source port 53 to the core under their
>> > old no-servers-for-consumers term of service?
>>
>> Perhaps because it is a legitimate, though unwise, client source port
>> that is in lots of old configurations.
>>
>> listen-on { <internal address>; };
>> query-source * port 53;
>
> I understand that's a good point for businesses and serious hobbyists,
> especially with old gear, but is it valid for consumer CPE that might
> be abused for DNS reflection attacks? How many of those Linux-based
> "modems" with DNS proxies are using source port 53? How many
> consumer ISP customers have DNS clients that use source port 53?
>
>
>> Additionally the OS is free to choose 53 as a source port if it
>> wants for a client. While some systems reserve low ports not all
>> do. This includes NAT implementations.
>
> That is more compelling than the DNS client source port 53 argument,
> but it also applies to port 25. At one time and for some consumer
> ISPs, it didn't rule. Maybe because of the counter argument that the
> worst case is a timeout and re-bind to another port.
>
However since 53/udp is stateless, and 25/tcp is not, you cast a much
wider net blocking port 53 inbound than you do with port 25. At least with
port 25 you can look at the tcp flags and recognize this is a new connection
without keeping connection state.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
