Comment by daneel_w
14 hours ago
I'm not sure you read the OP's comment in full. They are talking about inbound traffic from the Internet. It's certainly a lot more common a case to self-host an MX than running an open DNS resolver or authorative name server.
You may be surprised to learn that there are many types of botnets out there, and many use DNS queries for the C&C.
Although the GP wrote "53/tcp" that is a weird situation, because most (not all) DNS is over UDP.
One day I suddenly found my DNS resolver logs were very active with veritable gibberish. And it seems that my router had been pwned and joined some sort of nefarious botnet.
I only found this out because I was using NextDNS at the time, and my router's own resolver was pointed there, and NextDNS was keeping meticulous, detailed logs of every query.
So I nipped it in the bud, by determining which device it was, by ruling out other devices, and by replacing the infected demon router with a safe one.
But yeah, if your 53/udp or 25/tcp is open, you can pretty much expect to join a botnet of the DNS or SMTP-spam varieties.
That's none of the business of my ISP to care about. If a botnet abuses my connection to send excessive traffic, that's going to be limited by the bandwidth limit I'm paying for.
Restricting ports also doesn't mitigate it, as a port scanner can easily find out I'm running this or that vulnerable server software on a non-standard port.
It's none of the ISP's business to restrict the ports I should be using.
Just like the parent, you too have gotten your ins and outs mixed up.