I do on my network (well, the ISP, not the IX). It makes complete sense. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Mikael Abrahamsson" <swmike@swm.pp.se> To: "Jared Mauch" <jared@puck.nether.net> Cc: "NANOG list" <nanog@nanog.org> Sent: Friday, February 26, 2016 12:20:28 AM Subject: Re: Thank you, Comcast. On Thu, 25 Feb 2016, Jared Mauch wrote:
Make sure you permit TCP/53 for DNS queries so if TC=1 lookups work.
Speaking of which, historically ISPs have been blocking TCP/135, TCP/445 and a few others towards customers (at least that's what I know). TCP/25 seems to be blocked as well. Why isn't UDP/53 blocked towards customers? I know historically there were resolvers that used UDP/53 as source port for queries, but is this the case nowadays? I know providers that have blocked UDP/53 towards customers as a countermeasure to the amplification attacks. As far as I heard, there were no customer complaints. -- Mikael Abrahamsson email: swmike@swm.pp.se