On Apr 01, 2013, at 12:09 , "Dobbins, Roland" <rdobb...@arbor.net> wrote: > On Apr 1, 2013, at 11:03 PM, Patrick W. Gilmore wrote: > >> You can always make an exception if the user is extremely loud. > > It might be a good idea to make pinholes for the Google and OpenDNS > recursors, as they're fairly popular. > > I agree that this is a good idea, similar to the same sort of network access > policy as relates to SMTP.
Ahhh, silly of me, I read the post form Milt too quickly. I was going to suggest queries _into_ the broadband user space, not out of. If you only block into, OpenDNS, GoogleDNS, etc. are not an issue. Blocking could be done with DPI. It can also be done by blocking UDP port 53. (Don't need to block TCP53 since that removes the amplification problem.) However, there are some (idiotic) name servers that do 53<>53. Not sure how to handle those, or more importantly, how many broadband customers legitimately use an off-net _and_ brain-dead name server? And even if they do, will they fall back to TCP? Of course, since users shouldn't be using off-net name servers anyway, this isn't really a problem! :) -- TTFN, patrick