On 2/26/16 10:02 AM, Chris Adams wrote:
Except that half the time people run their own DNS resolvers because
their provider's resolvers are
Resolver != authoritative server. Your local DNS resolver doesn't need
to be (and should not be) listening to port 53 on the Internet. Only
DNS authoritative servers need to accept Internet traffic on port 53,
and almost nobody needs to be running one on a typical residential
connection (especially since residential IPs do change from time to
time).
UDP is a fun protocol - stateless, so blocking a DST of 53/UDP to the
customer also will block responses to recursive queries that originate
from SRC 53/UDP. Connection tracking sorta makes it stateful to a
point, but it can get ugly with enough traffic.
Place the blame for local resolvers listening on WAN squarely where it
belongs - the router vendors who make these devices.
You can't do anything about idiots buying a pro-sumer/professional
device like an EdgeRouter and misconfiguring it, but Linksys/Cisco,
D-Link, Netgear, etc that are targeted towards home users should be held
to the fire for that kind of screw up.
--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org / http://www.ahbl.org
