[dns-operations] Why would an MTA issue an ANY query instead of an MX query?

Nicholas Suan nsuan at nonexiste.net
Tue Jun 12 05:10:26 UTC 2012


On Mon, Jun 11, 2012 at 11:32 PM, Vernon Schryver <vjs at rhyolite.com> wrote:
>> To: Vernon Schryver <vjs at rhyolite.com>
>> Cc: dns-operations at mail.dns-oarc.net
>> From: Mark Andrews <marka at isc.org>
>
>> > Why aren't ISPs blocking UDP source port 53 to the core under their
>> > old no-servers-for-consumers term of service?
>>
>> Perhaps because it is a legitimate, though unwise, client source port
>> that is in lots of old configurations.
>>
>>       listen-on { <internal address>; };
>>       query-source * port 53;
>
> I understand that's a good point for businesses and serious hobbyists,
> especially with old gear, but is it valid for consumer CPE that might
> be abused for DNS reflection attacks?  How many of those Linux-based
> "modems" with DNS proxies are using source port 53?  How many
> consumer ISP customers have DNS clients that use source port 53?
>
>
>> Additionally the OS is free to choose 53 as a source port if it
>> wants for a client.  While some systems reserve low ports not all
>> do.  This includes NAT implementations.
>
> That is more compelling than the DNS client source port 53 argument,
> but it also applies to port 25.  At one time and for some consumer
> ISPs, it didn't rule.  Maybe because of the counter argument that the
> worst case is a timeout and re-bind to another port.
>

However since 53/udp is stateless, and 25/tcp is not, you cast a much
wider net blocking port 53 inbound than you do with port 25. At least with
port 25 you can look at the tcp flags and recognize this is a new connection
without keeping connection state.



More information about the dns-operations mailing list