Home page logo
/

nanog logo nanog mailing list archives

Re: Open Resolver Problems
From: John Kristoff <jtk () cymru com>
Date: Tue, 2 Apr 2013 17:18:08 -0500

On Mon, 1 Apr 2013 20:33:36 +0200 (CEST)
Mikael Abrahamsson <swmike () swm pp se> wrote:

You're sending queries, not replies.  That's why DPI is needed to
do the blocking, rather than just by port.

What queries are sourced from port 53 nowadays?

I would expect from stubs this will be close enough to zero to be
effectively zero.  At least I would hope so.  I don't have a great
source of insight for a resolver of this type of source data that I
can easily look at the moment, but if someone does I'd be interested
to hear otherwise.

On the authoritative side, which is easier for me to examine however,
when I've looked at this before, and the last time was a year ago it
was about 1% of all queries came from resolvers using source port 53.  I
just now checked another server and the percentage is practically the
same.  Before anyone dismisses 1% of queries as insignificant, keep in
mind that if all remaining queries from all other possible source port
values were equally distributed, that 1% (1 out of 100) is easily more
common than any other.

John


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]