[dns-operations] Too Open (Was: OpenDNS makes your Internet work better

Roy Arends roy at dnss.ec
Tue Jul 11 16:33:31 UTC 2006

On Jul 10, 2006, at 11:15 PM, David Ulevitch wrote:

> On Jul 10, 2006, at 1:59 PM, Stephane Bortzmeyer wrote:
>> On Mon, Jul 10, 2006 at 01:53:58PM -0700,
>>  Rick Wesson <wessorh at ar.com> wrote
>>  a message of 36 lines which said:
>>> The ORNs discussed in the papers you reference below are for the
>>> most part ones that are open but not managed as open. ie their
>>> managers think that they are closed but in fact are not. These [in
>>> mass] do pose a threat.
>>> OpenDNS is supposed to be open, its in their name. The ORNs are not
>>> supposed to be open but that are.
>> Correct but what does it change in practice. OpenDNS knows that
>> it is open, but how does it make it less vulnerable?
>> Do they implement rate-limiting, for instance?
> I actually thought Rick's answer was pretty much perfect.  But I'll
> add some comments now:
> There's a lot you can do when you are running an anycasted recursive
> nameserver to detect things happening in flash-mob style and in the
> wild.
> Please think about this idea for a while before responding.

ORNs can be abused to victimize _others_. It is trivial to send  
requests to an Open Recursive Nameserver like OpenDNS, with a source  
address of some victim.

Imagine a recruited army of 50K clients, sending requests to a list  
of ORNs at a rate of 10K requests per client, all with the same  
spoofed source address asking for large responses (say the root NS  
set). This will cause a steady stream of 250K traffic to a victim in  
a worst case scenrario. This is not theory. This has caused and is  
causing major incidents.


More information about the dns-operations mailing list