[dns-operations] Small datapoint on current DoS mitigation

Dobbins, Roland rdobbins at arbor.net
Fri Apr 4 09:57:15 UTC 2014

On Apr 4, 2014, at 4:13 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:

> If customers are running older resolver code which sources queries from UDP/53, then this ACL will cause problems for them; utilizing flow telemetry to determine the likelihood of these corner-cases arising is very important, along with plans to proactively handle them without breaking the Internet for these customers.

If this is a significant problem, here're revised tACL stanzas which *must* be tested and piloted prior to general deployment.  Using flow-telemetry to determine whether the attack-source queries are sourced from high ports or from UDP/53 is strongly advised.


access-list 101 remark Apply these stanzas inbound on coreward customer aggregation gateway interfaces.
access-list 101 remark Deny inbound traffic to UDP/53 on broadband customer networks.
access-list 101 remark Allow UDP/53-UDP/53 traffic for older customer resolver code.
access-list 101 permit udp any eq 53 eq 53
access-list 101 deny udp any eq 53
access-list 101 remark Allow all other IP traffic to customer nodes - VERY important!
access-list 101 permit ip any


Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the dns-operations mailing list