Home page logo
/

nanog logo nanog mailing list archives

Re: Open Resolver Problems
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Mon, 1 Apr 2013 12:18:18 -0400

On Apr 01, 2013, at 12:09 , "Dobbins, Roland" <rdobbins () arbor net> wrote:
On Apr 1, 2013, at 11:03 PM, Patrick W. Gilmore wrote:

You can always make an exception if the user is extremely loud.

It might be a good idea to make pinholes for the Google and OpenDNS recursors, as they're fairly popular.

I agree that this is a good idea, similar to the same sort of network access policy as relates to SMTP.  

Ahhh, silly of me, I read the post form Milt too quickly.

I was going to suggest queries _into_ the broadband user space, not out of. If you only block into, OpenDNS, GoogleDNS, 
etc. are not an issue.

Blocking could be done with DPI. It can also be done by blocking UDP port 53. (Don't need to block TCP53 since that 
removes the amplification problem.) However, there are some (idiotic) name servers that do 53<>53. Not sure how to 
handle those, or more importantly, how many broadband customers legitimately use an off-net _and_ brain-dead name 
server? And even if they do, will they fall back to TCP?

Of course, since users shouldn't be using off-net name servers anyway, this isn't really a problem! :)

-- 
TTFN,
patrick



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]