[187773] in North American Network Operators' Group
Re: Thank you, Comcast.
daemon@ATHENA.MIT.EDU (Mike Hammett)
Fri Feb 26 07:36:52 2016
X-Original-To: nanog@nanog.org
Date: Fri, 26 Feb 2016 06:36:46 -0600 (CST)
From: Mike Hammett <nanog@ics-il.net>
Cc: NANOG list <nanog@nanog.org>
In-Reply-To: <alpine.DEB.2.02.1602260718460.11524@uplift.swm.pp.se>
Errors-To: nanog-bounces@nanog.org
I do on my network (well, the ISP, not the IX). It makes complete sense.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
----- Original Message -----
From: "Mikael Abrahamsson" <swmike@swm.pp.se>
To: "Jared Mauch" <jared@puck.nether.net>
Cc: "NANOG list" <nanog@nanog.org>
Sent: Friday, February 26, 2016 12:20:28 AM
Subject: Re: Thank you, Comcast.
On Thu, 25 Feb 2016, Jared Mauch wrote:
> Make sure you permit TCP/53 for DNS queries so if TC=1 lookups work.
Speaking of which, historically ISPs have been blocking TCP/135, TCP/445
and a few others towards customers (at least that's what I know). TCP/25
seems to be blocked as well.
Why isn't UDP/53 blocked towards customers? I know historically there were
resolvers that used UDP/53 as source port for queries, but is this the
case nowadays?
I know providers that have blocked UDP/53 towards customers as a
countermeasure to the amplification attacks. As far as I heard, there were
no customer complaints.
--
Mikael Abrahamsson email: swmike@swm.pp.se
