[187774] in North American Network Operators' Group
Re: Thank you, Comcast.
daemon@ATHENA.MIT.EDU (Nick Hilliard)
Fri Feb 26 08:17:36 2016
X-Original-To: nanog@nanog.org
X-Envelope-To: nanog@nanog.org
Date: Fri, 26 Feb 2016 13:17:30 +0000
From: Nick Hilliard <nick@foobar.org>
To: Mikael Abrahamsson <swmike@swm.pp.se>
In-Reply-To: <alpine.DEB.2.02.1602260718460.11524@uplift.swm.pp.se>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Mikael Abrahamsson wrote:
> Why isn't UDP/53 blocked towards customers? I know historically there
> were resolvers that used UDP/53 as source port for queries, but is this
> the case nowadays?
>
> I know providers that have blocked UDP/53 towards customers as a
> countermeasure to the amplification attacks. As far as I heard, there
> were no customer complaints.
Traffic from dns-spoofing attacks generally has src port = 53 and dst
port = random. If you block packets with udp src port=53 towards
customers, you will also block legitimate return traffic if the
customers run their own DNS servers or use opendns / google dns / etc.
Nick
