[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

Florian Weimer fw at deneb.enyo.de
Thu May 22 11:00:07 UTC 2008

* David Conrad:

> On May 20, 2008, at 11:46 PM, Kurt Erik Lindqvist wrote:
>> I have my doubts about fixing things in code.
> You must hate
> sin.sin_port = htons( IPPROTO_DNS );
> then.

Most end user systems don't use the IPPROTO_DNS constant there; the port
is configurable and 53 is just the default.  This is not just an
academic observation.  It implies that filtering 53/UDP to stop access
to external resolvers (which perform NXDOMAIN/NODATA rewriting or worse)
has a very poor cost/benefit ratio--something that changes the resolvers
could easily change the port, too.

More information about the dns-operations mailing list