new DNS forwarder vulnerability

Mark Andrews marka at
Wed Apr 2 20:28:58 UTC 2014

In message <C7E435C6-344F-49CD-9152-7A9EF2FA6662 at>, Jared Mauch 
> On Apr 2, 2014, at 8:38 AM, Mark Allman <mallman at> wrote:
> >
> > [catching up]
> >
> >> That's a good question, but I know that during the ongoing survey
> >> within the Open Resolver Project [],
> >> Jared found thousands of CPE devices which responded as resolvers.
> >
> > Not thousands, *tens of millions*.
> >
> > Our estimate from mid-2013 was 32M such devices (detailed in an IMC
> > paper last year;  And, that
> > roughly agrees with both the numbers and another
> > (not public) study I know of.  And, as if that isn't bad enough
> > ... there is a 2010 IMC paper that puts the number at 15M.  I.e., the
> > instances of brokenness are getting worse---doubling in 3 years!  UGH.
> One observation: The OpenResolverProject collects responses that come from
> ports that the query was not sent to (ie: device responds from UDP/12345
> not
> from UDP/53, which obviously is broken and doesn't "work", but they
> actually
> return DNS payload which can be used for abuse).
> Some good news though:

I see axes, legend but no data points.  If I hover over various spots
on the graph I see data values pop up.

> Since the start of 2014 there seem to be new CPE devices out there that
> are resolving this issue.  The linear nature of the line in the decrease
> doesn't seem to be something like "ISPs" started blocking udp/53 to
> customers, which would appear more like a step function.
> I'm aware of some other studies ongoing to fingerprint CPE and their
> behaviors/aggregated resolver dependencies.  I expect to see some of that
> data presented at the upcoming DNS-OARC meeting in Warsaw.
> Getting everyone to update their firmware on devices would go a long way
> as well.  Some vendors have no software QA on this front so add/remove
> the response on the WAN interface as their releases march forward.
> - Jared

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the NANOG mailing list