[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers
fw at deneb.enyo.de
Thu May 22 11:00:07 UTC 2008
* David Conrad:
> On May 20, 2008, at 11:46 PM, Kurt Erik Lindqvist wrote:
>> I have my doubts about fixing things in code.
> You must hate
> sin.sin_port = htons( IPPROTO_DNS );
Most end user systems don't use the IPPROTO_DNS constant there; the port
is configurable and 53 is just the default. This is not just an
academic observation. It implies that filtering 53/UDP to stop access
to external resolvers (which perform NXDOMAIN/NODATA rewriting or worse)
has a very poor cost/benefit ratio--something that changes the resolvers
could easily change the port, too.
More information about the dns-operations