> People have been repeating the "DNS clients send from port 53" claim > for almost as long as others talking about blocking port 25. Is > it valid for consumer ISP customers? I bet not, but I don't know.
I have several gigabytes of pcap from *my* DNS clients indicating that for the majority of clients this is *not* the case. Source port is generally >= 1024 and seems pretty randomized (without having done any deeper analysis of this). A small minority of clients are sending DNS queries with a source port of 53. What *could* make sense for my clients would be blocking inbound UDP port 53 traffic to the clients caught doing ANY queries for ripe.net or isc.org (blocking inbound UDP port 53 to the CPE WAN side that is), and at the same time running a portal where those clients who needed it could easily remove such a block. Steinar Haug, Nethelp consulting, sth...@nethelp.no _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
