WingNews logo WingNews
top | item 46753483

(no title)

sgjohnson | 1 month ago

Blocking port 25 is perfectly reasonable.

There are no sane and legitimate reasons for running an SMTP server on a residential connection. Even most server providers will block it unless you give them some very good reasons.

Blocking 53 is just weird though.

discuss

order

myself248|1 month ago

Define "residential connection".

There is no such thing. A connection to the internet should be equal to any other connection to the internet, modulo BGP peering. Noone has a right to dictate what services I run or don't run, what protocols I speak or don't speak, what traffic I accept or deny, but *me*. That's the whole point of being on the internet rather than Prodigy or Compuserve or something.

The physical location of that connection is irrelevant. Maybe I feel my servers are safer in a datacenter. Maybe I feel they're safer in my basement. In my case, it is very much the latter, and again, you don't get to make that call. I do.

sgjohnson|1 month ago

> A connection to the internet should be equal to any other connection to the internet

It's not your connection. It's your ISPs. They are also their IPs.

> Noone has a right to dictate what services I run or don't run, what protocols I speak or don't speak, what traffic I accept or deny, but me. That's the whole point of being on the internet rather than Prodigy or Compuserve or something.

Then become your own ISP. Get an ASN (easy), acquire your own IPv4 and IPv6 space (also easy, but v4 is expensive), get a commercial connection that'll allow for BGP, and go ahead, do whatever you want with your IP addresses.

> The physical location of that connection is irrelevant.

It's not about the physical location, it's about who's IP addresses are you using. If they are not yours, the service provider has every right to restrict what you do with them.

daneel_w|1 month ago

I'm not sure you read the OP's comment in full. They are talking about inbound traffic from the Internet. It's certainly a lot more common a case to self-host an MX than running an open DNS resolver or authorative name server.

B1FIDO|1 month ago

You may be surprised to learn that there are many types of botnets out there, and many use DNS queries for the C&C.

Although the GP wrote "53/tcp" that is a weird situation, because most (not all) DNS is over UDP.

One day I suddenly found my DNS resolver logs were very active with veritable gibberish. And it seems that my router had been pwned and joined some sort of nefarious botnet.

I only found this out because I was using NextDNS at the time, and my router's own resolver was pointed there, and NextDNS was keeping meticulous, detailed logs of every query.

So I nipped it in the bud, by determining which device it was, by ruling out other devices, and by replacing the infected demon router with a safe one.

But yeah, if your 53/udp or 25/tcp is open, you can pretty much expect to join a botnet of the DNS or SMTP-spam varieties.

tsss|1 month ago

Whether or not I have a sane reason to use port 25 is none of their business.