[dns-operations] Open resolver detection methodology hints
Wessels, Duane
dwessels at verisign.com
Wed Jan 12 22:47:25 UTC 2011
On Jan 12, 2011, at 6:15 AM, John Kristoff wrote:
> In my experience, and I believe others will confirm, certain header
> values and depending on the question asked may not be perfectly
> foolproof. One of the best approaches I've found it to setup a zone
> that you are authoritative for with a wild card record. Then ask the
> resolver to be tested to look up a one-time unique record in that zone
> matching the wild card. If it returns the expected answer, and you can
> confirm by watching your authoritative server that it asked, then you
> can be very confident that it is open.
That is similar to the technique that I used. In my tool the query name
encodes the target IP address as well as the current time, and is encrypted.
So for any query received at my authoritative server I know where and when
the initial probe was made.
I generally ignore responses. The receipt of a valid query at the auth
server is enough to declare an open resolver.
If you only look for responses you'll miss some.
For example, I found a significant percentage of targets would reply, but
with source port changed, so these wouldn't be found by recv(). See slide
15 of http://www.caida.org/workshops/wide/0801/slides/dw-openresolvers.pdf
>
> There are a handful of presentations both Duane and I and probably
> others have done on the subject of open resolvers that you should be
> able to find around the net. We had also started writing a paper on
> the subject. One of these days we may actually get back to that and
> get it done eh Duane? :-)
Oh, yeah, we probably should...
More information about the dns-operations
mailing list