Open Resolver Problems

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 26/03/2013 07:51, Valdis.Kletnieks at vt.edu wrote:
> Now explain how you find a recursive nameserver that isn't listed in an NS
> entry and *hasn't* been publicized someplace that Google can find it.

Um, you run one of e.g.:

http://nmap.org/nsedoc/scripts/dns-recursion.html
http://monkey.org/~provos/dnsscan/

Then wait for a while while it churns through the ~224*2^24 packets it
needs to scan the entire ipv4 internet.  Of course, you could write your
own code, but that would take at least 1/2 an hour.

Then you have every open resolver on the internet.

Now, can you tell me how this is beyond the computing skill of someone who
controls a bigass botnet?

> (Otherwise read as "we'll be glad to fix it if somebody has a brilliant
> idea on how to do so without generating more calls to the help desk than
> the near-zero rate we currently get about DNS amplification  issues"....)

The whole point of this thread is that dns amplification hurts other
people, not the resolver which is being abused.  Just like in the old days,
abusing open mail relays hurt other people more than the relay operator.

Nick

• Previous message (by thread): Open Resolver Problems
• Next message (by thread): Open Resolver Problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]