On 09.11.18 15:58, Claudio Luck wrote:
Hi all
I'm currently experimenting to host DNS zones on dynamic IP addresses and dynamic DNS.
But I'm encountering more difficulties than expected on "broadband connections" in receiving UDP port 53 DNS query packets. In one case they're filtered completely (TCP port 53 works, UDP port 53 is blacked out), while on some there seems to be some adaptive filtering requiring like 10 minutes to "open up".
Does this ring a bell? I would be thankful about any hint what could be interfering, PM or here.
Sooo... just FYI
Dear all
if you have customers pluggin' plastic-routers the wrong way around, exposing their resolvers for DNS amplification attacks, I feel with you.
If you decide to counter this by filtering inbound queries altogether, please state it, and then more importantly, tell your support staff :D
Looks legit, but from my point of view it is too simplistic a solution to do it undercover and to persist in the era of dynamic/privacy IPv6 addresses.
Don't let yourself catch unprepared of the current wave of DNS de- and centralization. DoT and DoH are stirring up the market, and a counter-move toward decentralization has started to move (GNUnet GNS). Concepts like rigid filters for dynamic IP ranges are putting up dust, so I'm eager to discover about adaptive filters I think I've also observed (Deutsch/English).
If you wonder what this is all about, a more or less random article giving a start: «DNS Amplification – Protecting Unrestricted (Open) DNS Resolvers» https://www.tripwire.com/state-of-security/security-data-protection/cyber-se...
Best
Claudio Luck
Veteran full-stack ISP operator Six years in Devil's AI kitchen (they boil with water too) Board of Chaos Computer Club Works for pretty Easy privacy