I posted to NANOG:
Jerry Pasker <info@n-connect.net> wrote:
fine. (after a few tries) I'm using BIND 9.2.4 without the eye pee vee six stuff compiled in. Because I don't want to start something; No discussion about me blocking port 53, ok? I got tired of gobs of log files of script kiddies trying to download my domains 5 years ago...
Steve Sobol replied with:
I'm not going to enter into a long discussion with you. :)
I'm just curious why you didn't restrict AXFR to certain IPs instead.
And I'm posting back to NANOG: I did. And I had router ACLs doing the same thing. Allow to hosts that needed it, deny for everyone else. And I did this to ALL my DNS servers. I was getting DoSed one day, somewhere in the whereabouts of about 2001, and put in the ACLs, immediately expecting it to break things. (truncated responses needing TCP and/or other things that I didn't foresee). Much to my dismay, it broke nothing. Despite me looking for problems, and asking and pleading my techies to find trouble tickets related to this issue, it didn't happen. I revisited the issue periodically. Every time there was an unexplained DNS issue, I would think "it must be the port 53 block!" but alas, I was disappointed each and every time. I've removed and added the ACLs countless times over the years trouble shooting various DNS issues, but this is the first time that removing them actually solved anything. See, I *WANTED* there to be a problem in blocking port 53, I *BELIEVED* all the talk that it would cause problems, but that problem never showed up. Over the years, eventually I just slowly arrived at the conclusion that all the talk were from people who talked, not from people who were brave enough to try it in a production environment. 4 years later, I was proved "inconclusive": Blocking port 53 does break things to servers that are already (apparently?) broken. -Jerry