On Tue, Mar 4, 2014 at 12:33 PM, Ian McDonald <iam@st-andrews.ac.uk> wrote:
Until the average user's cpe is only permitted to use the resolvers one has provided as the provider (or otherwise decided are OK), this is going to be a game of whackamole.
No. That is still just treating symptoms, and not the disease. This also creates an unacceptable annoyance for the most slightly technical user who needs to troubleshoot any DNS problems with their domains. When the ISP's nameservers are blocked, the script kiddies will set up a tunnel, or configure the DNS client to use a different UDP port number for DNS resolution, or adjust the router firmware to run tcpdump and upload session data to/from interesting web destinations, to a hostname on port 80. -- -JH