On 09.11.18 15:58, Claudio Luck wrote: > Hi all > > I'm currently experimenting to host DNS zones on dynamic IP addresses > and dynamic DNS. > > But I'm encountering more difficulties than expected on "broadband > connections" in receiving UDP port 53 DNS query packets. In one case > they're filtered completely (TCP port 53 works, UDP port 53 is blacked > out), while on some there seems to be some adaptive filtering requiring > like 10 minutes to "open up". > > Does this ring a bell? I would be thankful about any hint what could be > interfering, PM or here.
Sooo... just FYI Dear all if you have customers pluggin' plastic-routers the wrong way around, exposing their resolvers for DNS amplification attacks, I feel with you. If you decide to counter this by filtering inbound queries altogether, please state it, and then more importantly, tell your support staff :D Looks legit, but from my point of view it is too simplistic a solution to do it undercover and to persist in the era of dynamic/privacy IPv6 addresses. Don't let yourself catch unprepared of the current wave of DNS de- and centralization. DoT and DoH are stirring up the market, and a counter-move toward decentralization has started to move (GNUnet GNS). Concepts like rigid filters for dynamic IP ranges are putting up dust, so I'm eager to discover about adaptive filters I think I've also observed (Deutsch/English). If you wonder what this is all about, a more or less random article giving a start: «DNS Amplification – Protecting Unrestricted (Open) DNS Resolvers» https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/dns-amplification-protecting-unrestricted-open-dns-resolvers/ Best Claudio Luck Veteran full-stack ISP operator Six years in Devil's AI kitchen (they boil with water too) Board of Chaos Computer Club Works for pretty Easy privacy
0x937550D4D032C306.asc
Description: application/pgp-keys
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog