On Dec 7, 2009, at 6:00 PM, Jared Mauch wrote: > > On Dec 7, 2009, at 5:29 PM, John Levine wrote: > >>> Will be interesting to see if ISPs respond to a large scale thing like >>> this taking hold by blocking UDP/TCP 53 like many now do with tcp/25 >>> (albeit for other reasons). Therein lies the problem with some of the >>> "net neturality" arguments .. there's a big difference between "doing it >>> because it causes a problem for others", and "doing it because it robs >>> me of revenue opportunities". >> >> I do hear of ISPs blocking requests to random offsite DNS servers. >> For most consumer PCs, that's more likely to be a zombie doing DNS >> hijacking than anything legitimate. If they happen also to block >> 8.8.8.8 that's just an incidental side benefit. > > I've found more and more hotel/edge networks blocking/capturing this traffic. > > The biggest problem is they tend to break things horribly and fail things > like the > oarc entropy test. > > They will often also return REFUSED (randomly) to valid well formed DNS > queries. > > While I support the capturing of malware compromised machines until they are > repaired, I do think more intelligence needs to be applied when directing > these systems. > > Internet access in a hotel does not mean just UDP/53 to their selected hosts > plus TCP/80, > TCP/443.
It's why I run an ssh server on 443 somewhere -- and as needed, I ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections as I really need... --Steve Bellovin, http://www.cs.columbia.edu/~smb