This is one of my pet peeves. Another is default passwords for devices. Kudo to TP-Link for not shipping devices with default passwords.
Regards, Dovid -----Original Message----- From: Brielle Bruns <br...@2mbit.com> Sender: "NANOG" <nanog-boun...@nanog.org>Date: Fri, 26 Feb 2016 10:16:33 To: <nanog@nanog.org> Subject: Re: Thank you, Comcast. On 2/26/16 10:02 AM, Chris Adams wrote: >> >> Except that half the time people run their own DNS resolvers because >> their provider's resolvers are > > Resolver != authoritative server. Your local DNS resolver doesn't need > to be (and should not be) listening to port 53 on the Internet. Only > DNS authoritative servers need to accept Internet traffic on port 53, > and almost nobody needs to be running one on a typical residential > connection (especially since residential IPs do change from time to > time). > UDP is a fun protocol - stateless, so blocking a DST of 53/UDP to the customer also will block responses to recursive queries that originate from SRC 53/UDP. Connection tracking sorta makes it stateful to a point, but it can get ugly with enough traffic. Place the blame for local resolvers listening on WAN squarely where it belongs - the router vendors who make these devices. You can't do anything about idiots buying a pro-sumer/professional device like an EdgeRouter and misconfiguring it, but Linksys/Cisco, D-Link, Netgear, etc that are targeted towards home users should be held to the fire for that kind of screw up. -- Brielle Bruns The Summit Open Source Development Group http://www.sosdg.org / http://www.ahbl.org