[dns-operations] Open resolver detection methodology hints

Wessels, Duane dwessels at verisign.com
Wed Jan 12 22:47:25 UTC 2011

On Jan 12, 2011, at 6:15 AM, John Kristoff wrote:

> In my experience, and I believe others will confirm, certain header
> values and depending on the question asked may not be perfectly
> foolproof.  One of the best approaches I've found it to setup a zone
> that you are authoritative for with a wild card record.  Then ask the
> resolver to be tested to look up a one-time unique record in that zone
> matching the wild card.  If it returns the expected answer, and you can
> confirm by watching your authoritative server that it asked, then you
> can be very confident that it is open.

That is similar to the technique that I used.  In my tool the query name
encodes the target IP address as well as the current time, and is encrypted.

So for any query received at my authoritative server I know where and when
the initial probe was made.  

I generally ignore responses.  The receipt of a valid query at the auth
server is enough to declare an open resolver.

If you only look for responses you'll miss some.
For example, I found a significant percentage of targets would reply, but
with source port changed, so these wouldn't be found by recv().  See slide
15 of http://www.caida.org/workshops/wide/0801/slides/dw-openresolvers.pdf

> There are a handful of presentations both Duane and I and probably
> others have done on the subject of open resolvers that you should be
> able to find around the net.  We had also started writing a paper on
> the subject.  One of these days we may actually get back to that and
> get it done eh Duane? :-)

Oh, yeah, we probably should...

More information about the dns-operations mailing list