[nsp-sec] Port 53 Blocking on DSL/Cable Networks
jonathan.curtis at bell.ca
jonathan.curtis at bell.ca
Thu Jan 31 20:23:21 EST 2008
Think of the impact ISP's had when we managed port 25.
The location of the port 53 management would be the first or second hop in the network from dynamically assigned end customers.
Port 53 MGMT could be blocking, redirection or other forms of mgmt on a per subscriber basis.
In any event, I'm looking for common IP's used be end customers that choose to over-ride the DNS Cache Server IP's provided by ISP's. There shouldn't be more than 40 legitimate open recursive DNS servers based on my research.
Thanks,
Jonathan
Jonathan Curtis
+1.613.781.0968
----- Original Message -----
From: Joe Abley <jabley at ca.afilias.info>
To: Curtis, Jonathan (P010329)
Cc: nsp-security at puck.nether.net <nsp-security at puck.nether.net>
Sent: Thu Jan 31 17:01:39 2008
Subject: Re: [nsp-sec] Port 53 Blocking on DSL/Cable Networks
On 31-Jan-2008, at 13:16, <jonathan.curtis at bell.ca> <jonathan.curtis at bell.ca
> wrote:
> Has anyone taken a serious look at blocking these ports externally on
> their networks?
>
> Reasons I ask:
>
> 1. Prevent Home Gateway Pharming / Phishing
>
> http://www.news.com/8301-10789_3-9855195-57.html
>
> http://www.cert.org.mx/imagenes/dns.png
Blocking 53/udp is a really bad way to try and fix that problem.
> 2. Protect TLD's and Root Servers from direct attacks from Cable - DSL
> customers
Speaking as the operator of a dozen or so TLDs, I'd rather get the
traffic than have to try and deal with the multi-layer troubleshooting
nightmare that widespread 53/udp blocking might cause.
Joe
More information about the nsp-security
mailing list