Why would a university block incoming UDP traffic with destination port 53?
Solution 1:
The logic works like this:
- Only authoritative DNS servers that provide records to the internet are required to be exposed.
- Open recursive servers that are exposed to the internet will inevitably be found by network scans and abused. (See user1700494's answer)
- The likelihood of someone accidentally standing up an exposed recursive server is greater than that of an exposed authoritative DNS server. This is because many appliances and "out of the box" configs default to allowing unrestricted recursion. Authoritative configurations are much more customized and infrequently encountered.
- Given 1-3, dropping all unsolicited inbound traffic with a destination port of 53 protects the network. In the rare event that another authoritative DNS server needs to be added to the network (a planned event), exceptions can be defined on an as-needed basis.
Solution 2:
For example, attackers could use university's DNS server as transit host for DNS Amplification DDoS Attack
Solution 3:
Andrew B's answer is excellent. What he said.
To answer the question "What undesirable things could happen if incoming UDP packets to port number 53 weren't blocked?" more specifically, I googled "DNS-based attacks" and got this handy article. To paraphrase:
- Distributed Reflection DoS attack
- Cache poisoning
- TCP SYN floods
- DNS tunneling
- DNS hijacking
- Basic NXDOMAIN attack
- Phantom Domain attack
- Random subdomain attack
- Domain lock-up attack
- Botnet-based attacks from CPE devices
That's not a conclusive list of possible DNS-based attacks, just ten that an article found noteworthy enough to mention.
Really, the short answer is "If you don't have to expose it, don't."