[dns-operations] If I were the suspicious type.... (was:DNSAmplification Attacks)

Paul Vixie paul at vix.com
Thu Mar 23 18:10:41 UTC 2006


# For people who used to do stuff via port 25, there are alternatives yes? 
# The ports associated with authenticated mail access?

yes, although many isp's who block tcp/25 also block tcp/587.  they won't
say why, but presumably it's so they can somehow charge money for outbound
e-mail.

# Is a similar alternative available to users of port 53?

if you mean, for operational dns, that's IPsec tunnels or TSIG(Query).

if you mean, for diagnostic purposes, that's some kind of looking-glass thing.

# Is it sufficient to simply block 53/udp rather than 53/* ?

while that would not be profitably spoofable, it isn't in the best interests
of the open recursive nameserver operator.  also, there's no knob on any
common dns stub resolver (microsoft or bind) to say "use tcp on all queries"
and so you'd be depending on an an initial icmp-portunreach or whatever,
which would be a performance penalty when it came, and often wouldn't come.



More information about the dns-operations mailing list