North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
ISPs blocking port 53? (was Re: Annoying dynamic DNS updates)
On 28 Sep 2003, Paul Vixie wrote: > Specifically, I want to know why Comcast makes itself so hard to reach. > I'll bet I could get them to talk to me about this host if it were DDoS'ing > me, or if I aggressively NMAP'd it at 25Mbits/sec for 48 hours straight. Based on the comments in many forums, I think that is a sucker bet. Its always been hard for non-customers to reach any ISP. Have you talked to your upstream provider about your problem? Perhaps your upstream ISP could block port 53 for you? I've been talking about the problem for 10 years. I don't think it has gotten any better or worse. > But because the problem is "non-serious" they do not even reply to e-mail. > Trouble is, it's *their* definition of "serious" being applied, while *I* > am the one receiving this traffic. Other than auto-responders, how often do ISPs respond to e-mail from non-customers? Customers can't even contact some ISPs by e-mail, you must fill out a special web form. Is your definition of *serious* the same as other people's definition of *serious*? Ranking all the *serious* problem reports received every day, how does your *serious* report rank? Higher or lower than the FBI, spam, the latest e-bay scam, a 25Meg nmap scan for 48 hours straight or wildcards in the .COM zone? > What this has in common spam is that a company wants margin from last mile > transit but won't incur the reasonable and customary costs of policing their > customers. They expect to get margin on 10,000,000 customers but only incur > "customer care" costs on a 10,000 customer basis. This is what I meant in > the bad old days when I called spam a form of "cost shifting" or "conversion". > Simply put, because Comcast can't be bothered, everyone else on the 'net pays > their avoided costs in various indirect ways. Comparing things to spam is a good way to stir up emotion, but doesn't help the discussion very much. How should an ISP tell the difference between "good" DNS packets and "bad" DNS packets? Its the fact the recipient doesn't want to receive the packet for whatever reason, not that the packet itself is "bad." If the ISP blocked people from doing dynamic DNS updates, I imagine someone would complain about blocking Dynamic DNS instead. Heck there are companies that make their business out of enabling people to dynamically update their DNS records. What is needed is for individuals to be able to signal "packet blocking" on a one-to-one basis. What makes the packets "bad" isn't any technical reason. If you had Comcast at your house and wanted to dynamically update your DNS server over the Internet, why should Comcast block you from doing that? You aren't complaining about your dynamic update packets or even all dynamic updates. You are complaining about someone sending you packets you don't want. And more precisely, you are complaining that Comcast is failing to send you other packets you want to receive, i.e. a response to your e-mail packets. Currently, the most common method is the recipient drops the packets after receiving them. Blocking at the source is difficult, and often involves layer 8, 9, 10 issues; such as identifying the source, identifying the "bad" packets, deciding if the packet violates a RFC, TOS, AUP, etc. Should the sender be blocked from sending packets to anyone, or just the one person who doesn't want to receive the packets. Is miconfiguring your Microsoft Windows system a criminal violation deserving prison or fines? Should the sentencing guidelines take into account if you use a Macintosh or Linux system instead of Microsoft? > > Why is dynamic DNS update enabled by default on some operating systems? > > Microsoft's culpability in this mess is not even on my mind today. They will > at least talk about their role in the situation, so they're more responsible > than Comcast this week. If you just want to talk about it, Ok. Lets talk. We can talk for years without doing anything. Meanwhile more and more people are installing Microsoft Windows bleah with the same default settings. For the same reasons ISC won't change the default settings in BIND, I wouldn't be surprised the Microsoft made the same arguments for not changing the default settings in Windows. It was only after Sendmail and the other mailers changed the default settings in their products that slowed down the increase of open mailers. Why could Sendmail change its defaults, but other vendors won't change their product defaults? http://www.caida.org/outreach/presentations/2003/wiapp03/sdu.wiapp03.slides.pdf I've been thinking how to use ICMP to signal different types of responses; and even how "smart" edges on both ends of a communication could establish and enforce policies. Most of these are non-malicious communications involving misconfigured systems. Edge communications avoids problems with the host system, but has problems with multi-path communications and source validation.