nanog mailing list archives

Re: Open Resolver Problems

From: Jared Mauch <jared () puck nether net>
Date: Tue, 26 Mar 2013 10:49:42 -0400


On Mar 26, 2013, at 10:15 AM, Jon Lewis <jlewis () lewis org> wrote:

On 25/03/2013 14:33, Mikael Abrahamsson wrote:

I would like to be able to request an IP list of open resolvers in my ASN,
perhaps sent to the contact details in RIPE whois database to make sure I'm
not falsely representing that ASN.


Or you could just get an off-site system (cloud VM), get the software from http://monkey.org/~provos/dnsscan/, and 
find all your own open recursive DNS servers.

There are different levels of openness for recursive DNS servers though. It looks like Jared's project lists any DNS 
server that responds with anything other than refused as open.  A DNS server could have open recursion "disabled", 
but still respond with referrals to the root-servers.  Older versions of bind seem to do this when configured with 
allow-recursion for a limited range of IPs.  While not really "open" such servers are still useful for DNS 
amplification.  The example config at

http://www.team-cymru.org/Services/Resolvers/instructions.html

for a bind 9.x caching server can be adapted for older bind versions doing caching+authoratative such that it'll 
provide recursion to those who should have it, and authority for zones for which it needs to do so.


I was throwing up the 'quick & dirty' data that I had for everyone to get access to quickly.

There are a large number of attacks using these servers in the past week.  I hope everyone takes a minute and gets with 
their unix/systems/DNS team and determines what they can do to minimize this.

One other important item:

Stop your customers from being able to spoof!  If you punch in 8.8.8.8 (for example) into the system, you will see a 
number of devices where if a packet is directed at it that respond with 8.8.8.8, either by spoofing, or by forwarding 
that request to google and spoofing the origin IP.

Same for the 73.73.73.73 IP as well.  Those CPE devices should be locked down.

- Jared

Current thread:

Re: Open Resolver Problems, (continued)
- - - Re: Open Resolver Problems Mikael Abrahamsson (Mar 25)
    - Re: Open Resolver Problems Nick Hilliard (Mar 25)
    - Re: Open Resolver Problems Alain Hebert (Mar 25)
    - Re: Open Resolver Problems William Herrin (Mar 25)
    - Re: Open Resolver Problems Nick Hilliard (Mar 25)
    - Re: Open Resolver Problems William Herrin (Mar 25)
    - Re: Open Resolver Problems Jay Ashworth (Mar 26)
    - Re: Open Resolver Problems Mikael Abrahamsson (Mar 26)
    - Re: Open Resolver Problems Jared Mauch (Mar 25)
    - Re: Open Resolver Problems Jon Lewis (Mar 26)
    - Re: Open Resolver Problems Jared Mauch (Mar 26)
- Re: Open Resolver Problems Harry Hoffman (Mar 25)
  - Re: Open Resolver Problems Jared Mauch (Mar 25)
  - RE: Open Resolver Problems Mike Simkins (Mar 25)
  - Re: Open Resolver Problems Damian Menscher (Mar 25)
- Re: Open Resolver Problems Valdis . Kletnieks (Mar 25)
- Re: Open Resolver Problems Jay Ashworth (Mar 25)
  - Re: Open Resolver Problems Jared Mauch (Mar 25)
    - Re: Open Resolver Problems Alain Hebert (Mar 25)
    - Re: Open Resolver Problems Mark Andrews (Mar 25)
    - Re: Open Resolver Problems Jared Mauch (Mar 25)

(Thread continues...)