nanog mailing list archives

Re: Open Resolver Problems

From: Jared Mauch <jared () puck nether net>
Date: Mon, 25 Mar 2013 21:13:27 -0400


On Mar 25, 2013, at 5:15 PM, Alain Hebert <ahebert () pubnix net> wrote:

   Well,

On 03/25/13 16:45, Jared Mauch wrote:

On Mar 25, 2013, at 2:04 PM, Jay Ashworth <jra () baylink com> wrote:

----- Original Message -----

From: "Jared Mauch" <jared () puck nether net>
Open resolvers pose a security threat.

Could you clarify, here, Jared?

Do "open DNS customer-resolver/recursive servers" *per se* cause a problem?

Or is it merely "customer zone servers which are misconfigured to recurse",
as has always been problematic?

That is: is this just a reminder we never closed the old hole, or 
notification of some new and much nastier hole?

There have been some moderate size attacks recently that I won't go into detail here about.  The IPs that are on the 
website are certainly being used/abused.  A recent attack saw a 90% match rate against the "master list" here.  This 
means your open resolver is likely being used.

Anything to raise the bar here will minimize the impact to those networks under attack.  Turn on RPF facing your 
colocation and high-speed server lans.  We all know hosts become compromised.  Help minimize the impact of these 
attacks by 

a) doing BCP-38
b) locking down your recursive servers to networks you control
c) locking down your authority servers to not provide the same answer 15x in a second to the same querying IP.  If 
it's asking that same question 15x, then it's not you that's broken, it's that client.  (Or it's being abused).

- Jared


   I think most of the audience here knows and are sensitive about it.

   The problems come from from those who don't give a *shit*... And
they've been not giving a *shit* it for years.

   The magic is in "how" to make them care


If this started to move into an AUP violation direction (e.g.: ala spammers, etc) would that motivate people?

   Do the industry need to go "a la PCI-DSS" for Peers?


I think that any effort we can take here to help educate people to the right standards is helpful.  I'd like to see 
people fix hosts, routers and a number of other things.

   PS: My pico ISP is soooo on your list Jared =D  Not for long hopefully.


Appreciated.  And many thanks for others that have emailed me saying their hosts have been fixed as well, and those 
that have emailed me updated text for the webpage.

- jared

Current thread:

Re: Open Resolver Problems, (continued)
- - - Re: Open Resolver Problems Jared Mauch (Mar 26)
- Re: Open Resolver Problems Harry Hoffman (Mar 25)
  - Re: Open Resolver Problems Jared Mauch (Mar 25)
  - RE: Open Resolver Problems Mike Simkins (Mar 25)
  - Re: Open Resolver Problems Damian Menscher (Mar 25)
- Re: Open Resolver Problems Valdis . Kletnieks (Mar 25)
- Re: Open Resolver Problems Jay Ashworth (Mar 25)
  - Re: Open Resolver Problems Jared Mauch (Mar 25)
    - Re: Open Resolver Problems Alain Hebert (Mar 25)
    - Re: Open Resolver Problems Mark Andrews (Mar 25)
    - Re: Open Resolver Problems Jared Mauch (Mar 25)
    - RE: Open Resolver Problems Jamie Bowden (Mar 26)
    - Re: Open Resolver Problems Dobbins, Roland (Mar 26)
    - Re: Open Resolver Problems Patrick W. Gilmore (Mar 26)
    - Re: Open Resolver Problems Dobbins, Roland (Mar 26)
    - Re: ORP bmanning (Mar 26)
    - Re: Open Resolver Problems Jay Ashworth (Mar 26)
    - Re: Open Resolver Problems Patrick W. Gilmore (Mar 26)
    - Re: Open Resolver Problems Nick Hilliard (Mar 26)
    - Re: Open Resolver Problems Alain Hebert (Mar 26)
    - Re: Open Resolver Problems Jared Mauch (Mar 26)

(Thread continues...)