[dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Vernon Schryver vjs at rhyolite.com
Tue Jun 12 03:32:56 UTC 2012

> To: Vernon Schryver <vjs at rhyolite.com>
> Cc: dns-operations at mail.dns-oarc.net
> From: Mark Andrews <marka at isc.org>

> > Why aren't ISPs blocking UDP source port 53 to the core under their
> > old no-servers-for-consumers term of service?
> Perhaps because it is a legitimate, though unwise, client source port
> that is in lots of old configurations.
> 	listen-on { <internal address>; };
> 	query-source * port 53;

I understand that's a good point for businesses and serious hobbyists,
especially with old gear, but is it valid for consumer CPE that might
be abused for DNS reflection attacks?  How many of those Linux-based
"modems" with DNS proxies are using source port 53?  How many
consumer ISP customers have DNS clients that use source port 53?

> Additionally the OS is free to choose 53 as a source port if it
> wants for a client.  While some systems reserve low ports not all
> do.  This includes NAT implementations.

That is more compelling than the DNS client source port 53 argument,
but it also applies to port 25.  At one time and for some consumer
ISPs, it didn't rule.  Maybe because of the counter argument that the
worst case is a timeout and re-bind to another port.

That's why I asked about the current common practice of consumer ISPs
about port 25.  If it's now ok to block port 25, then why isn't it ok
to block port 53, along with other infrastructure ports including some
dear to my heart such as 13, 37, 123, and 525?  Some of those can
amplify (albeit far less than DNS) reflection attacks.
(If port 53 is commonly abusable in CPE, what about 123?  I've often
seen time service buttons on CPE configuration menus.)

The goal must not be to find a perfect solution, because there is
none.  If abusable DNS resolvers or proxies in CPE are as common
as some suggested, port 53 blocking is the only hope.  DNS response
rate limiting will be as useless as try to close open CPE DNS
resolvers or trying to close open SMTP relays.

> DNS best pactice it to run your own recursive servers with validation
> enabled.  Do you really want to stop this?

For you and me, it is a best practice, just as SMTP best practice
is to run our own MTAs and MSAs, NTP servers, HTTP servers, etc.
You'll have to pry my DNS servers out of my cold dead hands.

However, for the canonical Joe and Joan Sixpack who are to a first
approximation all consumer ISP customers, it is not even a sane
practice.  They can't spell DNS and the only recursive validation
server they'll run is by misadventure.

Joe and Joan should be using their ISP's validating, load balancing,
well (or at least somewhat) maintained DNS servers, just as they should
be using their ISP's SMTP systems.
Just as Apple, Adobe, Google, Microsoft, and Mozilla are now installing
updates on their computers without their let, leave, hindrance, or
even notice.

Again, if it's sauce for port 25, then why not port 53?

Is it sauce for port 25?

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list