On Mon, 1 Apr 2013 20:33:36 +0200 (CEST) Mikael Abrahamsson <swmike@swm.pp.se> wrote:
You're sending queries, not replies. That's why DPI is needed to do the blocking, rather than just by port.
What queries are sourced from port 53 nowadays?
I would expect from stubs this will be close enough to zero to be effectively zero. At least I would hope so. I don't have a great source of insight for a resolver of this type of source data that I can easily look at the moment, but if someone does I'd be interested to hear otherwise. On the authoritative side, which is easier for me to examine however, when I've looked at this before, and the last time was a year ago it was about 1% of all queries came from resolvers using source port 53. I just now checked another server and the percentage is practically the same. Before anyone dismisses 1% of queries as insignificant, keep in mind that if all remaining queries from all other possible source port values were equally distributed, that 1% (1 out of 100) is easily more common than any other. John