26 Feb
2016
26 Feb
'16
1:17 p.m.
Mikael Abrahamsson wrote:
Why isn't UDP/53 blocked towards customers? I know historically there were resolvers that used UDP/53 as source port for queries, but is this the case nowadays?
I know providers that have blocked UDP/53 towards customers as a countermeasure to the amplification attacks. As far as I heard, there were no customer complaints.
Traffic from dns-spoofing attacks generally has src port = 53 and dst port = random. If you block packets with udp src port=53 towards customers, you will also block legitimate return traffic if the customers run their own DNS servers or use opendns / google dns / etc. Nick