new DNS forwarder vulnerability

Joe Greco jgreco at
Sat Mar 15 12:36:34 UTC 2014

> Why would a CPE have an open DNS resolver from the WAN side?

Honest to god, are you new to computers or something?

People have been writing "just good enough" code since the beginning.

A resolver package binds to *:53 by default.  Some poor firmware guys
with no security experience, deadlines, and too few bytes for code
storage don't notice or don't know or don't care and install the 
resolver feature on the firmware that they're designing, then promptly
never think about it again "because that feature works and is therefore

... JG
Joe Greco - Network Services - Milwaukee, WI -
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

More information about the NANOG mailing list