Comment by B1FIDO
13 hours ago
You may be surprised to learn that there are many types of botnets out there, and many use DNS queries for the C&C.
Although the GP wrote "53/tcp" that is a weird situation, because most (not all) DNS is over UDP.
One day I suddenly found my DNS resolver logs were very active with veritable gibberish. And it seems that my router had been pwned and joined some sort of nefarious botnet.
I only found this out because I was using NextDNS at the time, and my router's own resolver was pointed there, and NextDNS was keeping meticulous, detailed logs of every query.
So I nipped it in the bud, by determining which device it was, by ruling out other devices, and by replacing the infected demon router with a safe one.
But yeah, if your 53/udp or 25/tcp is open, you can pretty much expect to join a botnet of the DNS or SMTP-spam varieties.
That's none of the business of my ISP to care about. If a botnet abuses my connection to send excessive traffic, that's going to be limited by the bandwidth limit I'm paying for.
Restricting ports also doesn't mitigate it, as a port scanner can easily find out I'm running this or that vulnerable server software on a non-standard port.
It's none of the ISP's business to restrict the ports I should be using.
Just like the parent, you too have gotten your ins and outs mixed up.