In message <44ecd7b5-d9a4-408b-a132-29241de3a...@ianai.net>, "Patrick W. Gilmore" writes: > On Apr 01, 2013, at 11:55 , "Milt Aitken" <m...@net2atlanta.com> wrote: > > > Most of our DSL customers have modem/routers that resolve DNS > > externally. > > And most of those have no configuration option to stop it. > > So, we took the unfortunate step of ACL blocking DNS requests to & from > > the DSL network unless the requests are to our DNS servers. > > > > Suboptimal, but it stopped the DNS amplification attacks. > > I was going to suggest exactly this. > > Don't most broadband networks have a line in their AUP about running > servers? Wouldn't a DNS server count as 'a server'? Then wouldn't running > one violate the AUP? > > This gives the provider a hammer to hit the user over the head. Although > that is quite unlikely, so the better point is that it also gives the > provider cover in case some user complains about the provider filtering. > > You can always make an exception if the user is extremely loud. > > -- > TTFN, > patrick
Actually a lot don't have such a line. Such lines are tantamount to extortion especially if the ISP supplies commercial grade lines. That said blocking by default with the option to open it up on request, the same as smtp is opened on request, might be viable. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
