> We have done just this (block inbound udp/53) to certain subnets due to a > rash of CPEs that happily proxy DNS, including recursive queries, > from their WAN side. What devices? Is this a default or something customers are configuring? > Ingress/Egress filtering did not help because the traffic coming > to the name server was not spoofed to appear like it was coming from our network, it > really was. Ingress/Egress filtering really needs to be addressed by router manufacturers so it's a default when the router is configured. If every dsl router did *gress filtering most of the spoofing issues would go away overnight. It's the same sort of thing as Exchange finally installing with relay disabled or the patch for smurf ping replies. In the case where a router is located someplace that *gress filtering just isn't a viable option the people configuring those routers should be smart enough to be able to figure out how to disable it so enabled by default really should not be a change that is an issue for router manufacturers. Geo.
