Open Resolver Problems

Tue Mar 26 14:49:42 UTC 2013

On Mar 26, 2013, at 10:15 AM, Jon Lewis <jlewis at lewis.org> wrote:
>> On 25/03/2013 14:33, Mikael Abrahamsson wrote:
>>> I would like to be able to request an IP list of open resolvers in my ASN,
>>> perhaps sent to the contact details in RIPE whois database to make sure I'm
>>> not falsely representing that ASN.
> 
> Or you could just get an off-site system (cloud VM), get the software from http://monkey.org/~provos/dnsscan/, and find all your own open recursive DNS servers.
> 
> There are different levels of openness for recursive DNS servers though. It looks like Jared's project lists any DNS server that responds with anything other than refused as open.  A DNS server could have open recursion "disabled", but still respond with referrals to the root-servers.  Older versions of bind seem to do this when configured with allow-recursion for a limited range of IPs.  While not really "open" such servers are still useful for DNS amplification.  The example config at
> 
> http://www.team-cymru.org/Services/Resolvers/instructions.html
> 
> for a bind 9.x caching server can be adapted for older bind versions doing caching+authoratative such that it'll provide recursion to those who should have it, and authority for zones for which it needs to do so.

I was throwing up the 'quick & dirty' data that I had for everyone to get access to quickly.

There are a large number of attacks using these servers in the past week.  I hope everyone takes a minute and gets with their unix/systems/DNS team and determines what they can do to minimize this.

One other important item:

Stop your customers from being able to spoof!  If you punch in 8.8.8.8 (for example) into the system, you will see a number of devices where if a packet is directed at it that respond with 8.8.8.8, either by spoofing, or by forwarding that request to google and spoofing the origin IP.

Same for the 73.73.73.73 IP as well.  Those CPE devices should be locked down.

- Jared