[dns-operations] Open resolver detection methodology hints

Niall O'Reilly Niall.oReilly at ucd.ie
Wed Jan 12 11:11:28 UTC 2011


From time to time, I receive notification that one or more open resolvers
have been found on our campus network.  I'm looking for a web-based verification
tool which our IT Services can recommend to the owner or local administrator of
an offending device so that they can confirm the success of their mitigation
efforts.

Not finding quite what I think I need "out there", I've built something which
will probably do the trick.  I'ld welcome comments, whether to let me know that
I'm re-inventing the wheel, or to advise me of anything I'm missing.

What I've chosen to do is to provide a web service which will attempt to probe
the target device over both UDP and TCP and return a "signature" for each
result.  End-user presentation will show details of the "signature" and a
status summary.

As signature, I'm using reception or not of a response, and the status (rcode),
aaflag, raflag, and ancount items from the response, if any.  I'm interpreting
this as follows.

	@raflag='1' and (@status='NOERROR' or @status='NXDOMAIN') => OPEN
	@status='REFUSED' or (@raflag='0' and @status='NOERROR') => NOT OPEN
	@response!='received' => NO RESPONSE
	otherwise => INVALID RESPONSE

[I've not removed all of the XSLT noise, as you can see.]

Should this be good enough?


Best regards, and thanks in advance for any comments.

Niall O'Reilly




More information about the dns-operations mailing list