[dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Mark Andrews marka at isc.org
Tue Jun 12 02:39:45 UTC 2012

In message <201206120146.q5C1kq6T057794 at calcite.rhyolite.com>, Vernon Schryver 
> > From: Chris Adams <cmadams at hiwaay.net>
> > Once upon a time, Mark Andrews <marka at isc.org> said:
> > > If we have Attacker -> CPE -> Auth -> CPE -> Target why isn't the CPE
> > > returning answers from its cache?
> >
> > Most of the CPE just run a DNS proxy (e.g. dnsmasq on Linux-based
> > boxes), not a full cache.  Even if they ran a cache, the attack would
> > still be CPE->Target (just not going to another server in-between).  It
> Why aren't ISPs blocking UDP source port 53 to the core under their
> old no-servers-for-consumers term of service?

Perhaps because it is a legitimate, though unwise, client source port
that is in lots of old configurations.

	listen-on { <internal address>; };
	query-source * port 53;

Additionally the OS is free to choose 53 as a source port if it
wants for a client.  While some systems reserve low ports not all
do.  This includes NAT implementations.

> What is the common consumer ISP current practice for TCP port 25
> at the ISP/core boundary?  If it is one of the many old flavors of
> blocking (e.g. always, prior arrangement, "business service"), why
> can't it be applied to UDP port 53?
> How many consumers would object if their "modems" can't answer or 
> perhaps even hear UDP port 53 from the outer Internet?  
> In other words, as with port 25, why must the rest of the Internet
> subsidize some often very big outfits by dealing with abuse that the
> outfits could deal with or at least contain within their own networks?
> Why not a blacklist/ACL/whatever similar to Spamhaus' PBL for TCP
> port 25?  For that matter, why not apply the PBL to UDP port 53 on the
> grounds that IP addresses that should never be seen sending email also
> never need outside DNS service?

DNS best pactice it to run your own recursive servers with validation
enabled.  Do you really want to stop this?

> Of course, blocking consumer port 53 would not be a panacea, but
> it might reduce the proxies available for abuse.
> Vernon Schryver    vjs at rhyolite.com
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list