"you will also block legitimate return traffic if the customers run their own DNS servers or use opendns / google dns / etc."
I'm fine with that. Residential customers shouldn't be running DNS servers anyway and as far as the outside resolvers to go, ehhhh... I see the case for OpenDNS given that you can use it to filter (though that's easily bypassed), but not really for any others. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Nick Hilliard" <n...@foobar.org> To: "Mikael Abrahamsson" <swm...@swm.pp.se> Cc: "NANOG list" <nanog@nanog.org> Sent: Friday, February 26, 2016 7:17:30 AM Subject: Re: Thank you, Comcast. Mikael Abrahamsson wrote: > Why isn't UDP/53 blocked towards customers? I know historically there > were resolvers that used UDP/53 as source port for queries, but is this > the case nowadays? > > I know providers that have blocked UDP/53 towards customers as a > countermeasure to the amplification attacks. As far as I heard, there > were no customer complaints. Traffic from dns-spoofing attacks generally has src port = 53 and dst port = random. If you block packets with udp src port=53 towards customers, you will also block legitimate return traffic if the customers run their own DNS servers or use opendns / google dns / etc. Nick
