[swinog] Inbound DNS query filtering on "broadband" IPs?

Claudio Luck

2018-11-13 13:06:37 UTC

Post by Claudio Luck
Hi all
I'm currently experimenting to host DNS zones on dynamic IP addresses
and dynamic DNS.
But I'm encountering more difficulties than expected on "broadband
connections" in receiving UDP port 53 DNS query packets. In one case
they're filtered completely (TCP port 53 works, UDP port 53 is blacked
out), while on some there seems to be some adaptive filtering requiring
like 10 minutes to "open up".
Does this ring a bell? I would be thankful about any hint what could be
interfering, PM or here.

Sooo... just FYI

Dear all

if you have customers pluggin' plastic-routers the wrong way around,
exposing their resolvers for DNS amplification attacks, I feel with you.

If you decide to counter this by filtering inbound queries altogether,
please state it, and then more importantly, tell your support staff :D

Looks legit, but from my point of view it is too simplistic a solution
to do it undercover and to persist in the era of dynamic/privacy IPv6
addresses.

Don't let yourself catch unprepared of the current wave of DNS de- and
centralization. DoT and DoH are stirring up the market, and a
counter-move toward decentralization has started to move (GNUnet GNS).
Concepts like rigid filters for dynamic IP ranges are putting up dust,
so I'm eager to discover about adaptive filters I think I've also
observed (Deutsch/English).

If you wonder what this is all about, a more or less random article
giving a start: Â«DNS Amplification â Protecting Unrestricted (Open) DNS
ResolversÂ»
https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/dns-amplification-protecting-unrestricted-open-dns-resolvers/

Best

Claudio Luck

Veteran full-stack ISP operator
Six years in Devil's AI kitchen (they boil with water too)
Board of Chaos Computer Club
Works for pretty Easy privacy