[nsp-sec] Port 53 Blocking on DSL/Cable Networks
Joe Abley
jabley at ca.afilias.info
Thu Jan 31 20:41:58 EST 2008
On 31-Jan-2008, at 20:23, <jonathan.curtis at bell.ca> <jonathan.curtis at bell.ca
> wrote:
> Think of the impact ISP's had when we managed port 25.
The ability to originate arbitrary SMTP connections to anywhere in the
world is not even remotely the same as the ability to use the DNS. In
my opinion :-)
> The location of the port 53 management would be the first or second
> hop in the network from dynamically assigned end customers.
I like the way you say "management" when in fact you mean
"interference" :-)
> Port 53 MGMT could be blocking, redirection or other forms of mgmt
> on a per subscriber basis.
>
> In any event, I'm looking for common IP's used be end customers that
> choose to over-ride the DNS Cache Server IP's provided by ISP's.
> There shouldn't be more than 40 legitimate open recursive DNS
> servers based on my research.
What, in your mind, makes an open recursive DNS server legitimate?
If I run a recursive resolver somewhere that I want to use for some
reason in preference to whatever some random ISP hands me, and I allow
access to that resolver based on the presence of a TSIG key, is that
legitimate? It's not open.
(Those of us working on DNSSEC deployment use such things frequently.)
Joe
More information about the nsp-security
mailing list