[dns-operations] About open DNS resolvers

Mark Andrews marka at isc.org
Wed Aug 22 23:18:37 UTC 2012


In message <20120822101333.7dafb564 at localhost>, John Kristoff writes:
> On Mon, 20 Aug 2012 19:12:47 +0200
> esolve esolve <esolvepolito at gmail.com> wrote:
> 
> >       1 about the testing methodology, it needs to build a DNS server
> > and check whether it receives queries. Why can we just use "dig
> > @target_ip www.example.com" and see whether we can get a result?
> 
> You can, but target_ip may just forward to another resolver, which
> ultimately fetches the answer on it's behalf.  So target_ip itself may
> not strictly be considered an open resolver, but an "open forwarder".

It is an open resolver.  It doesn't matter if it does the lookup
directly or indirectly.  It is honoring the "rd" bit and supplying
recursive service.

> Depending on what you're querying for, it is possible it nor any
> forwarder is truly open, but may return cached answers.  Therefore, the
> www.example.com qname is best set to a one-time unique value to help
> ensure you're not getting a cached response.
> 
> Furthermore, it may be possible, unless you're very careful about
> checking the answer you get and asking for that unique answer, do not
> confuse any answer with a valid answer.  For instance, the resolver may
> be giving you a response based on a locally configured wild card record.
> 
> >      4 is there anybody who has a open resolver list?  if so, can you
> > send me a copy? I need them to do some tests, thanks!
> 
> Yes, then no, but sort of.  Team Cymru monitors for open resolvers so
> we have the data, but we do not make the entire population of open
> resolvers available to the public.  We are happy to provide a complete
> list of open resolvers for a specific network (e.g. ASN) to an
> authorized representative for that network however.  If that will
> suffice, we welcome requests to get a data feed for your network.
> Details here:
> 
>   <http://www.team-cymru.org/Services/Resolvers/>
> 
> I do not know of any publicly available source of open resolvers, but I
> have seen some posted from time to time.  The trouble is often in the
> methodology used may result in many false positives and that the
> address list can change frequently thanks to the nature transitive
> nature of IP addresses.
> 
> John
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list