27 Jun
2017
27 Jun
'17
2:27 p.m.
I'll be closing TCP/53 to the Internet - NOW.
You need to close UDP/53 as well! It is widely abused for DDoS amplification,
you really should not offer DNS service on internet unless you have modern software
to do rate limiting etc.
Look at the poor souls who make a change to their MikroTik router (usually configuring
it for PPPoE according to the directions they find on Youtube instead of according to
the manual) and mistakenly open their DNS resolver on internet... they end up
being abused as DDoS amplifier/reflector all the time.
We run a slave DNS server for AMPRnet as well, but: only on the 44 network.
Rob