[162032] in North American Network Operators' Group
Re: Open Resolver Problems
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Mon Apr 1 12:18:28 2013
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <5C89A2B7-5832-4055-A41A-6529059C7F7C@arbor.net>
Date: Mon, 1 Apr 2013 12:18:18 -0400
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 01, 2013, at 12:09 , "Dobbins, Roland" <rdobbins@arbor.net> =
wrote:
> On Apr 1, 2013, at 11:03 PM, Patrick W. Gilmore wrote:
>=20
>> You can always make an exception if the user is extremely loud.
>=20
> It might be a good idea to make pinholes for the Google and OpenDNS =
recursors, as they're fairly popular.
>=20
> I agree that this is a good idea, similar to the same sort of network =
access policy as relates to SMTP. =20
Ahhh, silly of me, I read the post form Milt too quickly.
I was going to suggest queries _into_ the broadband user space, not out =
of. If you only block into, OpenDNS, GoogleDNS, etc. are not an issue.
Blocking could be done with DPI. It can also be done by blocking UDP =
port 53. (Don't need to block TCP53 since that removes the amplification =
problem.) However, there are some (idiotic) name servers that do 53<>53. =
Not sure how to handle those, or more importantly, how many broadband =
customers legitimately use an off-net _and_ brain-dead name server? And =
even if they do, will they fall back to TCP?
Of course, since users shouldn't be using off-net name servers anyway, =
this isn't really a problem! :)
--=20
TTFN,
patrick
