[dns-operations] Open resolver detection methodology hints
John Kristoff
jtk at cymru.com
Wed Jan 12 14:15:10 UTC 2011
On Wed, 12 Jan 2011 11:11:28 +0000
Niall O'Reilly <Niall.oReilly at ucd.ie> wrote:
> have been found on our campus network. I'm looking for a web-based
> verification tool which our IT Services can recommend to the owner or
> local administrator of an offending device so that they can confirm
> the success of their mitigation efforts.
Duane Wessels put this together:
<http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl>
We also provide free reports of open resolvers if you want some insight
on an ongoing basis for your network:
<http://www.team-cymru.org/Services/Resolvers/>
> What I've chosen to do is to provide a web service which will attempt
> to probe the target device over both UDP and TCP and return a
> "signature" for each result. End-user presentation will show details
> of the "signature" and a status summary.
It shouldn't be necessary to test both UDP and TCP. UDP should be
sufficient. At least I know of no implementation that be open using
TCP and not UDP by default. Though that might actually be an idea for
those who want to run open resolvers, that is, force clients to use TCP
for their queries.
> As signature, I'm using reception or not of a response, and the
> status (rcode), aaflag, raflag, and ancount items from the response,
> if any. I'm interpreting this as follows.
In my experience, and I believe others will confirm, certain header
values and depending on the question asked may not be perfectly
foolproof. One of the best approaches I've found it to setup a zone
that you are authoritative for with a wild card record. Then ask the
resolver to be tested to look up a one-time unique record in that zone
matching the wild card. If it returns the expected answer, and you can
confirm by watching your authoritative server that it asked, then you
can be very confident that it is open.
It may also depends on where you are asking from. If someone is using
ISC BIND named "views" for instance, hey may respond differently to you
than to another source address.
There are a handful of presentations both Duane and I and probably
others have done on the subject of open resolvers that you should be
able to find around the net. We had also started writing a paper on
the subject. One of these days we may actually get back to that and
get it done eh Duane? :-)
John
More information about the dns-operations
mailing list