27 Jun
2017
27 Jun
'17
2:27 p.m.
I'll be closing TCP/53 to the Internet - NOW.
You need to close UDP/53 as well! It is widely abused for DDoS amplification, you really should not offer DNS service on internet unless you have modern software to do rate limiting etc.
Look at the poor souls who make a change to their MikroTik router (usually configuring it for PPPoE according to the directions they find on Youtube instead of according to the manual) and mistakenly open their DNS resolver on internet... they end up being abused as DDoS amplifier/reflector all the time.
We run a slave DNS server for AMPRnet as well, but: only on the 44 network.
Rob